dbviewer 0.7.3 → 0.7.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 50301b7fa1867ac7e266e3b48eb962e7e456de1e43a664750e8885a9b603f6ca
-  data.tar.gz: 0377f20859609a2807bdecc8bc5f9118dae6581b7d4819504900e7e6a371dba3
+  metadata.gz: 243466a78ac9698ebe99e2f1cc225355bcb278eced6d87da6ca6d4cc87a636ba
+  data.tar.gz: eb7006f0fb710d799f9167f1f8a8081f6850c46e9bc9ed8d40245ca16024ffdc
 SHA512:
-  metadata.gz: b17042fe0172fba83874c2498a99e9b9681092c5aedefb495cd2d55a41913d2d84dbbbdac3daa03a59928d465d7538183aa3dc5f12e41fda54add729b8963291
-  data.tar.gz: e3163cce763297208aeccae790ee6fb9890a2f084a974e2ac3e41acc0dac51ea6d005409cc57c71e3e605d1d406e7ea95b1ae9b83647800ae6d26d1444b8083e
+  metadata.gz: f41b5f67b69a22e98a008c3e686c91a369428dc2d57beab21c429cf6ff9dca371cfa546c91a063db62e109819b4c3ff3ba1a6a3e0a333cf55f6e8e7d6f318ead
+  data.tar.gz: fd3467c65880b1f5b187537b7a10bdac6b971846704da02212f1dd04bf8f73c0f1d2ce355310f804c8fcb56d3f04da64ef9bca562027bf60958fc400bc1ee6b9

data/README.md

@@ -340,11 +340,15 @@ graph TB
 
     subgraph "Database Namespace"
         Manager[Manager<br/>Database Operations]
-        CacheManager[CacheManager<br/>Caching Layer]
         MetadataManager[MetadataManager<br/>Schema Information]
         DynamicModelFactory[DynamicModelFactory<br/>ActiveRecord Models]
     end
 
+    subgraph "Cache Namespace"
+        CacheBase[Base<br/>Cache Interface]
+        InMemoryCache[InMemory<br/>In-Memory Cache Storage]
+    end
+
     subgraph "Query Namespace"
         QueryExecutor[Executor<br/>SQL Execution]
         QueryLogger[Logger<br/>Query Logging]
@@ -371,7 +375,7 @@ graph TB
 
     %% Configuration Dependencies (Decoupled)
     Config -.->|"Dependency Injection"| Manager
-    Manager -->|"cache_expiry"| CacheManager
+    Manager -->|"cache_expiry"| InMemoryCache
     Manager -->|"config object"| QueryExecutor
 
     %% Engine Initialization
@@ -394,14 +398,14 @@ graph TB
     DatabaseOperations --> QueryOperations
 
     %% Manager Dependencies
-    Manager --> CacheManager
+    Manager --> InMemoryCache
     Manager --> MetadataManager
     Manager --> DynamicModelFactory
     Manager --> QueryOperations
 
     %% Cache Dependencies
-    CacheManager --> DynamicModelFactory
-    CacheManager --> MetadataManager
+    InMemoryCache --> DynamicModelFactory
+    InMemoryCache --> MetadataManager
 
     %% QueryOperations Dependencies (Refactored)
     QueryOperations --> DynamicModelFactory
@@ -422,10 +426,11 @@ graph TB
     ValidatorSql --> QueryExecutor
 
     %% Styling
-    class CacheManager,QueryLogger decoupled
+    class InMemoryCache,QueryLogger decoupled
     class HomeController,TablesController,LogsController,ERDController,APIController,ConnectionsController controller
     class DatabaseOperations concern
     class Manager,MetadataManager,DynamicModelFactory database
+    class CacheBase,InMemoryCache cache
     class QueryExecutor,QueryAnalyzer,QueryParser,NotificationSubscriber query
     class StorageBase,InMemoryStorage,FileStorage storage
     class ColumnFiltering filtering

data/app/views/dbviewer/tables/query.html.erb

@@ -17,13 +17,6 @@
   </div>
 </div>
 
-<% if flash[:warning].present? %>
-  <div class="alert alert-warning alert-dismissible fade show" role="alert">
-    <%= flash[:warning] %>
-    <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
-  </div>
-<% end %>
-
 <div class="card mb-4">
   <div class="card-header">
     <h5>SQL Query (Read-Only)</h5>

data/lib/dbviewer/cache/base.rb

@@ -0,0 +1,32 @@
+module Dbviewer
+  module Cache
+    # Base handles caching concerns for the DatabaseManager
+    # It provides an abstraction layer for managing caches efficiently
+    class Base
+      # Initialize the cache manager
+      # @param cache_expiry [Integer] Cache expiration time in seconds (default: 300)
+      def initialize(cache_expiry = 300)
+        @cache_expiry = cache_expiry
+        @unified_cache = {}
+        @cache_last_reset = Time.now
+      end
+
+      # Fetch data from cache or execute block if not found/expired
+      # @param key [String] Cache key
+      # @param options [Hash] Options for the cache entry
+      # @option options [Integer] :expires_in Custom expiry time in seconds
+      # @yield Block to execute if cache miss or expired
+      # @return [Object] Cached value or result of block execution
+      def fetch(key, options = {}, &block)
+        raise NotImplementedError, "#{self.class}#fetch must be implemented by a subclass"
+      end
+
+      # Delete a specific cache entry by key
+      # @param key [String] Cache key to delete
+      # @return [Object, nil] The deleted value or nil if not found
+      def delete(key)
+        raise NotImplementedError, "#{self.class}#delete must be implemented by a subclass"
+      end
+    end
+  end
+end

data/lib/dbviewer/cache/in_memory.rb

@@ -0,0 +1,44 @@
+module Dbviewer
+  module Cache
+    # InMemory cache storage for Dbviewer
+    # It provides an abstraction layer for managing caches efficiently
+    class InMemory < Dbviewer::Cache::Base
+      # Fetch data from cache or execute block if not found/expired
+      # @param key [String] Cache key
+      # @param options [Hash] Options for the cache entry
+      # @option options [Integer] :expires_in Custom expiry time in seconds
+      # @yield Block to execute if cache miss or expired
+      # @return [Object] Cached value or result of block execution
+      def fetch(key, options = {}, &block)
+        cache_entry = @unified_cache[key]
+        custom_expiry = options[:expires_in] || @cache_expiry
+        return cache_entry[:value] if cache_entry && !cache_expired?(cache_entry, custom_expiry)
+
+        result = block.call
+        @unified_cache[key] = {
+          value: result,
+          created_at: Time.now
+        }
+        result
+      end
+
+      # Delete a specific cache entry by key
+      # @param key [String] Cache key to delete
+      # @return [Object, nil] The deleted value or nil if not found
+      def delete(key)
+        deleted_entry = @unified_cache.delete(key)
+        deleted_entry&.fetch(:value)
+      end
+
+      private
+
+      # Check if a cache entry is expired
+      # @param cache_entry [Hash] Cache entry with :created_at timestamp
+      # @param expiry_time [Integer] Expiry time in seconds
+      # @return [Boolean] True if expired, false otherwise
+      def cache_expired?(cache_entry, expiry_time)
+        Time.now - cache_entry[:created_at] > expiry_time
+      end
+    end
+  end
+end

data/lib/dbviewer/database/dynamic_model_factory.rb

@@ -14,12 +14,10 @@ module Dbviewer
       # @param table_name [String] Name of the table
       # @return [Class] ActiveRecord model class for the table
       def get_model_for(table_name)
-        cached_model = @cache_manager.get_model(table_name)
-        return cached_model if cached_model
-
-        model = create_model_for(table_name)
-        @cache_manager.store_model(table_name, model)
-        model
+        # Cache models for shorter time since they might need refreshing more frequently
+        @cache_manager.fetch("model-#{table_name}", expires_in: 300) do
+          create_model_for(table_name)
+        end
       end
 
       private

data/lib/dbviewer/database/manager.rb

@@ -10,7 +10,7 @@ module Dbviewer
       def initialize(connection_key = nil)
         @connection_key = connection_key || Dbviewer.configuration.current_connection
         ensure_connection
-        @cache_manager = ::Dbviewer::Database::CacheManager.new(configuration.cache_expiry)
+        @cache_manager = ::Dbviewer::Cache::InMemory.new(configuration.cache_expiry)
         @table_metadata_manager = ::Dbviewer::Database::MetadataManager.new(@connection, @cache_manager)
         @dynamic_model_factory = ::Dbviewer::Database::DynamicModelFactory.new(@connection, @cache_manager)
         @query_executor = ::Dbviewer::Query::Executor.new(@connection, configuration)
@@ -19,7 +19,6 @@ module Dbviewer
           @dynamic_model_factory,
           @table_metadata_manager
         )
-        reset_cache_if_needed
       end
 
       # Get configuration from class method or Dbviewer
@@ -132,11 +131,6 @@ module Dbviewer
         @table_metadata_manager.fetch_foreign_keys(table_name)
       end
 
-      # Clear all caches - useful when schema changes are detected
-      def clear_all_caches
-        @cache_manager.clear_all
-      end
-
       # Calculate the total size of the database schema
       # @return [Integer, nil] Database size in bytes or nil if unsupported
       def fetch_schema_size
@@ -202,11 +196,6 @@ module Dbviewer
         @adapter_name = @connection.adapter_name.downcase
         @connection
       end
-
-      # Reset caches if they've been around too long
-      def reset_cache_if_needed
-        @cache_manager.reset_if_needed
-      end
     end
   end
 end

data/lib/dbviewer/database/metadata_manager.rb

@@ -20,40 +20,33 @@ module Dbviewer
       # @param table_name [String] Name of the table
       # @return [Array<Hash>] List of column details
       def table_columns(table_name)
-        cached_columns = @cache_manager.get_columns(table_name)
-        return cached_columns if cached_columns
-
-        columns = @connection.columns(table_name).map do |column|
-          {
-            name: column.name,
-            type: column.type,
-            null: column.null,
-            default: column.default,
-            primary: column.name == primary_key(table_name)
-          }
+        # Cache columns for longer since schema changes are infrequent
+        @cache_manager.fetch("columns-#{table_name}", expires_in: 600) do
+          @connection.columns(table_name).map do |column|
+            {
+              name: column.name,
+              type: column.type,
+              null: column.null,
+              default: column.default,
+              primary: column.name == primary_key(table_name)
+            }
+          end
         end
-
-        # Cache the result
-        @cache_manager.store_columns(table_name, columns)
-        columns
       end
 
       # Get detailed metadata about a table
       # @param table_name [String] Name of the table
       # @return [Hash] Table metadata
       def table_metadata(table_name)
-        cached_metadata = @cache_manager.get_metadata(table_name)
-        return cached_metadata if cached_metadata
-
-        metadata = {
-          primary_key: primary_key(table_name),
-          indexes: fetch_indexes(table_name),
-          foreign_keys: fetch_foreign_keys(table_name),
-          reverse_foreign_keys: fetch_reverse_foreign_keys(table_name)
-        }
-
-        @cache_manager.store_metadata(table_name, metadata)
-        metadata
+        # Cache metadata for longer since schema relationships change infrequently
+        @cache_manager.fetch("metadata-#{table_name}", expires_in: 600) do
+          {
+            primary_key: primary_key(table_name),
+            indexes: fetch_indexes(table_name),
+            foreign_keys: fetch_foreign_keys(table_name),
+            reverse_foreign_keys: fetch_reverse_foreign_keys(table_name)
+          }
+        end
       end
 
       # Get the primary key of a table

data/lib/dbviewer/query/logger.rb

@@ -32,7 +32,7 @@ module Dbviewer
       def add(event)
         # Return early if query logging is disabled
         return unless @enable_query_logging
-        return if ::Dbviewer::Query::Parser.should_skip_query?(event)
+        return if ::Dbviewer::Query::Parser.should_skip_query?(event) || ::Dbviewer::Query::Parser.should_skip_internal_query?(event)
 
         current_time = Time.now
         @storage.add({

data/lib/dbviewer/query/notification_subscriber.rb

@@ -21,9 +21,6 @@ module Dbviewer
         # @param args [Array] Notification arguments from ActiveSupport::Notifications
         def process_notification(*args)
           event = ActiveSupport::Notifications::Event.new(*args)
-
-          return if skip_internal_query?(event)
-
           Dbviewer::Query::Logger.instance.add(event)
         end
 
@@ -35,7 +32,7 @@ module Dbviewer
           return false unless caller_locations
 
           excluded_caller_locations = caller_locations.filter do |caller_location|
-            !caller_location.path.include?("lib/dbviewer/engine.rb")
+            !caller_location.path.include?("lib/dbviewer/query/notification_subscriber.rb")
           end
 
           excluded_caller_locations.any? { |location| location.path.include?("dbviewer") }

data/lib/dbviewer/query/parser.rb

@@ -42,6 +42,8 @@ module Dbviewer
 
       # Determine if a query should be skipped based on content
       # Rails and ActiveRecord often run internal queries that are not useful for logging
+      # @param event [ActiveSupport::Notifications::Event] The notification event
+      # @return [Boolean] True if the query should be skipped
       def self.should_skip_query?(event)
         event.payload[:name] == "SCHEMA" ||
         event.payload[:sql].include?("SHOW TABLES") ||
@@ -51,6 +53,17 @@ module Dbviewer
         event.payload[:sql].include?("ar_internal_metadata") ||
         event.payload[:sql].include?("pg_catalog")
       end
+
+      # Determine if an internal query should be skipped
+      # Internal queries are those that are part of the Dbviewer module itself
+      # and do not represent user-generated SQL queries.
+      # This helps avoid logging internal operations that are not relevant to users.
+      # @param event [ActiveSupport::Notifications::Event] The notification event
+      # @return [Boolean] True if the query should be skipped
+      def self.should_skip_internal_query?(event)
+        event.payload[:name].include?("Dbviewer::") ||
+        event.payload[:sql].include?("PRAGMA")
+      end
     end
   end
 end

data/lib/dbviewer/validator/sql/query_normalizer.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Dbviewer
+  module Validator
+    class Sql
+      # Module for query normalization operations
+      # This module handles the cleaning and standardization of SQL queries
+      # to prepare them for validation and threat detection.
+      module QueryNormalizer
+        extend self
+
+        # Normalize SQL by removing comments and extra whitespace
+        # This prepares the query for consistent validation by:
+        # - Removing SQL comments (both -- and /* */ styles)
+        # - Normalizing whitespace to single spaces
+        # - Trimming leading/trailing whitespace
+        #
+        # @param sql [String] The SQL query to normalize
+        # @return [String] The normalized SQL query
+        def normalize(sql)
+          return "" if sql.nil?
+
+          begin
+            normalized = remove_comments(sql)
+            normalized = normalize_whitespace(normalized)
+            normalized.strip
+          rescue => e
+            # Log error if Rails logger is available, otherwise use basic error handling
+            if defined?(Rails) && Rails.respond_to?(:logger)
+              Rails.logger.error("[DBViewer] SQL normalization error: #{e.message}")
+            else
+              # Fallback to stderr if Rails is not available
+              $stderr.puts "[DBViewer] SQL normalization error: #{e.message}"
+            end
+            ""
+          end
+        end
+
+        private
+
+        # Remove SQL comments from the query
+        # Handles both single-line (--) and multi-line (/* */) comment styles
+        #
+        # @param sql [String] The SQL query
+        # @return [String] SQL with comments removed
+        def remove_comments(sql)
+          sql.gsub(/--.*$/, "")                # Remove -- style comments
+             .gsub(/\/\*.*?\*\//m, "")        # Remove /* */ style comments
+        end
+
+        # Normalize whitespace in the SQL query
+        # Converts all whitespace sequences to single spaces for consistent parsing
+        #
+        # @param sql [String] The SQL query
+        # @return [String] SQL with normalized whitespace
+        def normalize_whitespace(sql)
+          sql.gsub(/\s+/, " ")                # Normalize whitespace
+             .gsub(/\s{2,}/, " ")             # Replace multiple spaces with single space
+        end
+      end
+    end
+  end
+end

data/lib/dbviewer/validator/sql/threat_detector.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require_relative "validation_config"
+
+module Dbviewer
+  module Validator
+    class Sql
+      # Module for detecting various types of security threats in SQL queries
+      # This module contains all the logic for identifying SQL injection attempts,
+      # suspicious patterns, and other security vulnerabilities.
+      module ThreatDetector
+        extend self
+
+        # Check for suspicious patterns in SQL that might indicate an attack
+        # This method performs multiple checks on the raw SQL (before normalization)
+        # to catch threats that might be hidden by the normalization process.
+        #
+        # @param sql [String] Raw SQL query (before normalization)
+        # @return [Boolean] true if suspicious patterns found, false otherwise
+        def has_suspicious_patterns?(sql)
+          return true if has_comment_injection?(sql)
+          return true if has_string_concatenation?(sql)
+          return true if has_excessive_quotes?(sql)
+          return true if has_hex_encoding?(sql)
+
+          false
+        end
+
+        # Check for specific SQL injection patterns
+        # This method looks for known SQL injection attack patterns
+        # that are commonly used by attackers.
+        #
+        # @param sql [String] Raw SQL query (before normalization)
+        # @return [Boolean] true if injection patterns found, false otherwise
+        def has_injection_patterns?(sql)
+          ValidationConfig::INJECTION_PATTERNS.any? do |_name, pattern|
+            sql =~ pattern
+          end
+        end
+
+        # Check for forbidden keywords in the normalized SQL
+        # This method scans for keywords that could modify data or schema.
+        #
+        # @param normalized_sql [String] Normalized SQL query
+        # @return [String, nil] The forbidden keyword found, or nil if none
+        def detect_forbidden_keywords(normalized_sql)
+          ValidationConfig::FORBIDDEN_KEYWORDS.find do |keyword|
+            normalized_sql =~ /\b#{keyword}\b/i
+          end
+        end
+
+        # Check if the query starts with an allowed statement type
+        # Only SELECT and WITH (for CTEs) are allowed as query starters.
+        #
+        # @param normalized_sql [String] Normalized SQL query
+        # @return [Boolean] true if query starts with allowed statement
+        def valid_query_start?(normalized_sql)
+          normalized_sql =~ ValidationConfig::VALID_QUERY_START_PATTERN
+        end
+
+        # Check if the query is a SQLite PRAGMA statement
+        # PRAGMA statements are allowed for database introspection.
+        #
+        # @param normalized_sql [String] Normalized SQL query
+        # @return [Boolean] true if query is a PRAGMA statement
+        def pragma_statement?(normalized_sql)
+          normalized_sql =~ ValidationConfig::PRAGMA_PATTERN
+        end
+
+        # Check for multiple SQL statements separated by semicolons
+        # Multiple statements could allow SQL injection attacks.
+        #
+        # @param normalized_sql [String] Normalized SQL query
+        # @return [Boolean] true if multiple statements detected
+        def has_multiple_statements?(normalized_sql)
+          statements = normalized_sql.split(";").reject(&:blank?)
+          statements.size > 1
+        end
+
+        # Detect subqueries in the SQL by checking for unbalanced parentheses
+        # This is a heuristic method for feature detection.
+        #
+        # @param normalized_sql [String] Normalized SQL query
+        # @return [Boolean] true if subqueries are likely present
+        def detect_subqueries(normalized_sql)
+          # Check if there are unbalanced parentheses that likely contain subqueries
+          normalized_sql.count("(") > normalized_sql.count(")")
+        end
+
+        private
+
+        # Check for comment injection attempts
+        # Comments can be used to hide malicious SQL code
+        #
+        # @param sql [String] Raw SQL query
+        # @return [Boolean] true if comment injection detected
+        def has_comment_injection?(sql)
+          ValidationConfig::SUSPICIOUS_PATTERNS[:comment_injection] =~ sql
+        end
+
+        # Check for string concatenation that might be used for injection
+        # String concatenation can be used to build dynamic SQL attacks
+        #
+        # @param sql [String] Raw SQL query
+        # @return [Boolean] true if suspicious string concatenation detected
+        def has_string_concatenation?(sql)
+          ValidationConfig::SUSPICIOUS_PATTERNS[:string_concatenation] =~ sql
+        end
+
+        # Check for excessive quotes which might indicate injection attempts
+        # Large numbers of quotes can indicate SQL injection payload construction
+        #
+        # @param sql [String] Raw SQL query
+        # @return [Boolean] true if excessive quotes detected
+        def has_excessive_quotes?(sql)
+          single_quotes = sql.count("'")
+          double_quotes = sql.count('"')
+          single_quotes > ValidationConfig::QUOTE_LIMIT ||
+            double_quotes > ValidationConfig::QUOTE_LIMIT
+        end
+
+        # Check for hex encoding that might hide malicious code
+        # Long hex strings can be used to encode SQL injection payloads
+        #
+        # @param sql [String] Raw SQL query
+        # @return [Boolean] true if suspicious hex encoding detected
+        def has_hex_encoding?(sql)
+          ValidationConfig::SUSPICIOUS_PATTERNS[:hex_encoding] =~ sql
+        end
+      end
+    end
+  end
+end

data/lib/dbviewer/validator/sql/validation_config.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module Dbviewer
+  module Validator
+    class Sql
+      # Configuration constants and patterns for SQL validation
+      # This module centralizes all security-related patterns and rules
+      # used throughout the validation process.
+      module ValidationConfig
+        # List of SQL keywords that could modify data or schema
+        # These keywords are completely forbidden in user queries
+        FORBIDDEN_KEYWORDS = %w[
+          UPDATE INSERT DELETE DROP ALTER CREATE TRUNCATE REPLACE
+          RENAME GRANT REVOKE LOCK UNLOCK COMMIT ROLLBACK
+          SAVEPOINT INTO CALL EXECUTE EXEC
+        ].freeze
+
+        # List of SQL keywords that should only be allowed in specific contexts
+        # These are monitored but not automatically blocked
+        CONDITIONAL_KEYWORDS = {
+          # JOIN is allowed, but we should check for suspicious patterns
+          "JOIN" => /\bJOIN\b/i,
+          # UNION is allowed, but potential for injection
+          "UNION" => /\bUNION\b/i,
+          # WITH is allowed for CTEs, but need to ensure it's not a data modification
+          "WITH" => /\bWITH\b/i
+        }.freeze
+
+        # Maximum allowed query length (can be overridden by configuration)
+        DEFAULT_MAX_QUERY_LENGTH = 10000
+
+        # Patterns for detecting suspicious content that might indicate attacks
+        SUSPICIOUS_PATTERNS = {
+          comment_injection: /\s+--|\/\*/,
+          string_concatenation: /\|\||CONCAT\s*\(/i,
+          hex_encoding: /0x[0-9a-f]{16,}/i
+        }.freeze
+
+        # SQL injection attack patterns - these are definitive threats
+        INJECTION_PATTERNS = {
+          basic_or_injection: /'\s*OR\s*'.*'\s*=\s*'/i,
+          quoted_or_equals: /'\s*OR\s*1\s*=\s*1/i,
+          unquoted_or_equals: /\s+OR\s+1\s*=\s*1/i,
+          comment_termination: /'\s*;\s*--/i,
+          version_detection: /@@version/i,
+          version_function: /version\(\)/i,
+          file_access: /\bLOAD_FILE\s*\(/i,
+          outfile_access: /\bINTO\s+OUTFILE\b/i,
+          dumpfile_access: /\bINTO\s+DUMPFILE\b/i
+        }.freeze
+
+        # Database feature detection patterns for query analysis
+        FEATURE_PATTERNS = {
+          join: /\b(INNER|LEFT|RIGHT|FULL|CROSS)?\s*JOIN\b/i,
+          order_by: /\bORDER\s+BY\b/i,
+          group_by: /\bGROUP\s+BY\b/i,
+          having: /\bHAVING\b/i,
+          union: /\bUNION\b/i,
+          window_function: /\bOVER\s*\(/i
+        }.freeze
+
+        # Thresholds for suspicious activity detection
+        QUOTE_LIMIT = 20 # Maximum number of quotes before flagging as suspicious
+        HEX_MIN_LENGTH = 16 # Minimum hex string length to be considered suspicious
+
+        # PRAGMA statement pattern for SQLite introspection
+        PRAGMA_PATTERN = /\A\s*PRAGMA\s+[a-z0-9_]+(\([^)]*\))?\s*\z/i
+
+        # Valid query start patterns (SELECT or WITH for CTEs)
+        VALID_QUERY_START_PATTERN = /\A\s*(SELECT|WITH)\s+/i
+      end
+    end
+  end
+end

data/lib/dbviewer/validator/sql/validation_result.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Dbviewer
+  module Validator
+    class Sql
+      # Validation result object to encapsulate validation state and errors
+      # This provides a structured way to return validation results with
+      # clear success/failure states and associated error messages.
+      ValidationResult = Struct.new(:valid?, :error_message, :normalized_sql, keyword_init: true) do
+        # Check if the validation was successful
+        # @return [Boolean] true if validation passed
+        def success?
+          valid?
+        end
+
+        # Check if the validation failed
+        # @return [Boolean] true if validation failed
+        def failure?
+          !valid?
+        end
+
+        # Create a successful validation result
+        # @param normalized_sql [String] The normalized SQL query
+        # @return [ValidationResult] Success result with normalized SQL
+        def self.success(normalized_sql)
+          new(valid?: true, normalized_sql: normalized_sql)
+        end
+
+        # Create a failed validation result
+        # @param error_message [String] Description of the validation failure
+        # @return [ValidationResult] Failure result with error message
+        def self.failure(error_message)
+          new(valid?: false, error_message: error_message)
+        end
+      end
+    end
+  end
+end

data/lib/dbviewer/validator/sql.rb

@@ -1,196 +1,208 @@
 # frozen_string_literal: true
 
+require_relative "sql/validation_result"
+require_relative "sql/validation_config"
+require_relative "sql/query_normalizer"
+require_relative "sql/threat_detector"
+
 module Dbviewer
   module Validator
     # Sql class handles SQL query validation and normalization
     # to ensure queries are safe (read-only) and properly formatted.
     # This helps prevent potentially destructive SQL operations.
     class Sql
-      # List of SQL keywords that could modify data or schema
-      FORBIDDEN_KEYWORDS = %w[
-        UPDATE INSERT DELETE DROP ALTER CREATE TRUNCATE REPLACE
-        RENAME GRANT REVOKE LOCK UNLOCK COMMIT ROLLBACK
-        SAVEPOINT INTO CALL EXECUTE EXEC
-      ]
-
-      # List of SQL keywords that should only be allowed in specific contexts
-      CONDITIONAL_KEYWORDS = {
-        # JOIN is allowed, but we should check for suspicious patterns
-        "JOIN" => /\bJOIN\b/i,
-        # UNION is allowed, but potential for injection
-        "UNION" => /\bUNION\b/i,
-        # WITH is allowed for CTEs, but need to ensure it's not a data modification
-        "WITH" => /\bWITH\b/i
-      }
-
-      # Maximum allowed query length
-      MAX_QUERY_LENGTH = 10000
-
-      # Determines if a query is safe (read-only)
-      # @param sql [String] The SQL query to validate
-      # @return [Boolean] true if the query is safe, false otherwise
-      def self.safe_query?(sql)
-        return false if sql.blank?
-
-        # Get max query length from configuration
-        max_length = Dbviewer.configuration.max_query_length || MAX_QUERY_LENGTH
-        return false if sql.length > max_length
-
-        normalized_sql = normalize(sql)
-
-        # Case-insensitive check for SELECT at the beginning
-        return false unless normalized_sql =~ /\A\s*SELECT\s+/i
-
-        # Check for forbidden keywords that might be used in subqueries or other SQL constructs
-        FORBIDDEN_KEYWORDS.each do |keyword|
-          # Look for the keyword with word boundaries to avoid false positives
-          return false if normalized_sql =~ /\b#{keyword}\b/i
+      # Core validation methods
+      class << self
+        # Determines if a query is safe (read-only)
+        # @param sql [String] The SQL query to validate
+        # @return [Boolean] true if the query is safe, false otherwise
+        def safe_query?(sql)
+          result = validate_query(sql, allow_pragma: false)
+          result.success?
         end
 
-        # Check for suspicious patterns that might indicate SQL injection attempts
-        return false if has_suspicious_patterns?(normalized_sql)
+        # Validates a query and raises an exception if it's unsafe
+        # @param sql [String] The SQL query to validate
+        # @raise [SecurityError] if the query is unsafe
+        # @return [String] The normalized SQL query if it's safe
+        def validate!(sql)
+          result = validate_query(sql, allow_pragma: true)
 
-        # Check for multiple statements (;) which could allow executing multiple commands
-        statements = normalized_sql.split(";").reject(&:blank?)
-        return false if statements.size > 1
+          if result.failure?
+            raise SecurityError, result.error_message
+          end
 
-        # Additional specific checks for common SQL injection patterns
-        return false if has_injection_patterns?(normalized_sql)
+          result.normalized_sql
+        end
 
-        true
-      end
+        private
 
-      # Check for suspicious patterns in SQL that might indicate an attack
-      # @param sql [String] Normalized SQL query
-      # @return [Boolean] true if suspicious patterns found, false otherwise
-      def self.has_suspicious_patterns?(sql)
-        # Check for SQL comment sequences that might be used to hide malicious code
-        return true if sql =~ /\s+--/ || sql =~ /\/\*/
+        # Main validation logic that returns a structured result
+        # @param sql [String] The SQL query to validate
+        # @param allow_pragma [Boolean] Whether to allow PRAGMA statements
+        # @return [ValidationResult] Validation result with status and details
+        def validate_query(sql, allow_pragma: true)
+          # Step 1: Basic input validation
+          basic_validation_result = perform_basic_validation(sql)
+          return basic_validation_result if basic_validation_result
 
-        # Check for string concatenation which might be used for injection
-        return true if sql =~ /\|\|/ || sql =~ /CONCAT\s*\(/i
+          # Step 2: Security threat detection (before normalization)
+          threat_validation_result = perform_threat_validation(sql)
+          return threat_validation_result if threat_validation_result
 
-        # Check for excessive number of quotes which might indicate injection
-        single_quotes = sql.count("'")
-        double_quotes = sql.count('"')
-        return true if single_quotes > 20 || double_quotes > 20
+          # Step 3: Normalize the query
+          normalized_sql = QueryNormalizer.normalize(sql)
 
-        # Check for hex/binary data which might hide malicious code
-        return true if sql =~ /0x[0-9a-f]{16,}/i
+          # Step 4: Handle special cases (PRAGMA) - only if allowed
+          if allow_pragma
+            pragma_result = handle_pragma_statements(normalized_sql)
+            return pragma_result if pragma_result
+          end
 
-        false
-      end
+          # Step 5: Validate query structure and keywords
+          structure_validation_result = perform_structure_validation(normalized_sql)
+          return structure_validation_result if structure_validation_result
 
-      # Check for specific SQL injection patterns
-      # @param sql [String] Normalized SQL query
-      # @return [Boolean] true if injection patterns found, false otherwise
-      def self.has_injection_patterns?(sql)
-        # Check for typical SQL injection test patterns
-        return true if sql =~ /'\s*OR\s*'.*'\s*=\s*'/i
-        return true if sql =~ /'\s*OR\s*1\s*=\s*1/i
-        return true if sql =~ /'\s*;\s*--/i
+          # Step 6: Check for multiple statements
+          multiple_statements_result = validate_single_statement(normalized_sql)
+          return multiple_statements_result if multiple_statements_result
 
-        # Check for attempts to determine database type
-        return true if sql =~ /@@version/i
-        return true if sql =~ /version\(\)/i
+          # Success case
+          ValidationResult.new(
+            valid?: true,
+            normalized_sql: normalized_sql
+          )
+        end
 
-        false
-      end
+        # Perform basic input validation (null, empty, length)
+        def perform_basic_validation(sql)
+          if sql.nil? || sql.strip.empty?
+            return ValidationResult.new(
+              valid?: false,
+              error_message: "Empty query is not allowed"
+            )
+          end
+
+          max_length = get_max_query_length
+          if sql.length > max_length
+            return ValidationResult.new(
+              valid?: false,
+              error_message: "Query exceeds maximum allowed length (#{max_length} chars)"
+            )
+          end
 
-      # Normalize SQL by removing comments and extra whitespace
-      # @param sql [String] The SQL query to normalize
-      # @return [String] The normalized SQL query
-      def self.normalize(sql)
-        return "" if sql.nil?
-
-        begin
-          # Remove SQL comments (both -- and /* */ styles)
-          normalized = sql.gsub(/--.*$/, "")             # Remove -- style comments
-                  .gsub(/\/\*.*?\*\//m, "")       # Remove /* */ style comments
-                  .gsub(/\s+/, " ")               # Normalize whitespace
-                  .strip                          # Remove leading/trailing whitespace
-
-          # Replace multiple spaces with a single space
-          normalized.gsub(/\s{2,}/, " ")
-        rescue => e
-          Rails.logger.error("[DBViewer] SQL normalization error: #{e.message}")
-          ""
+          nil # No validation errors
         end
-      end
 
-      # Validates a query and raises an exception if it's unsafe
-      # @param sql [String] The SQL query to validate
-      # @raise [SecurityError] if the query is unsafe
-      # @return [String] The normalized SQL query if it's safe
-      def self.validate!(sql)
-        if sql.blank?
-          raise SecurityError, "Empty query is not allowed"
+        # Perform security threat detection
+        def perform_threat_validation(sql)
+          if ThreatDetector.has_suspicious_patterns?(sql)
+            return ValidationResult.new(
+              valid?: false,
+              error_message: "Query contains suspicious patterns that may indicate SQL injection"
+            )
+          end
+
+          if ThreatDetector.has_injection_patterns?(sql)
+            return ValidationResult.new(
+              valid?: false,
+              error_message: "Query contains patterns commonly associated with SQL injection attempts"
+            )
+          end
+
+          nil # No security threats detected
         end
 
-        # Get max query length from configuration
-        max_length = Dbviewer.configuration.max_query_length || MAX_QUERY_LENGTH
-        if sql.length > max_length
-          raise SecurityError, "Query exceeds maximum allowed length (#{max_length} chars)"
+        # Handle special PRAGMA statements for SQLite
+        def handle_pragma_statements(normalized_sql)
+          if pragma_statement?(normalized_sql)
+            return ValidationResult.new(
+              valid?: true,
+              normalized_sql: normalized_sql
+            )
+          end
+
+          nil # Not a PRAGMA statement
         end
 
-        normalized_sql = normalize(sql)
+        # Validate query structure and forbidden keywords
+        def perform_structure_validation(normalized_sql)
+          unless valid_query_start?(normalized_sql)
+            return ValidationResult.new(
+              valid?: false,
+              error_message: "Query must begin with SELECT or WITH for security reasons"
+            )
+          end
 
-        # Special case for SQLite PRAGMA statements which are safe read-only commands
-        if normalized_sql =~ /\A\s*PRAGMA\s+[a-z0-9_]+\s*\z/i
-          return normalized_sql
+          forbidden_keyword = detect_forbidden_keywords(normalized_sql)
+          if forbidden_keyword
+            return ValidationResult.new(
+              valid?: false,
+              error_message: "Forbidden keyword '#{forbidden_keyword}' detected in query"
+            )
+          end
+
+          nil # Structure validation passed
         end
 
-        unless normalized_sql =~ /\A\s*SELECT\s+/i
-          raise SecurityError, "Query must begin with SELECT for security reasons"
+        # Validate that query contains only a single statement
+        def validate_single_statement(normalized_sql)
+          statements = normalized_sql.split(";").reject { |s| s.nil? || s.strip.empty? }
+          if statements.size > 1
+            return ValidationResult.new(
+              valid?: false,
+              error_message: "Multiple SQL statements are not allowed"
+            )
+          end
+
+          nil # Single statement validation passed
         end
 
-        FORBIDDEN_KEYWORDS.each do |keyword|
-          if normalized_sql =~ /\b#{keyword}\b/i
-            raise SecurityError, "Forbidden keyword '#{keyword}' detected in query"
+        # Helper methods
+        def get_max_query_length
+          # Try to get from configuration if available, otherwise use default
+          if defined?(Dbviewer) && Dbviewer.respond_to?(:configuration) && Dbviewer.configuration.respond_to?(:max_query_length)
+            Dbviewer.configuration.max_query_length || ValidationConfig::DEFAULT_MAX_QUERY_LENGTH
+          else
+            ValidationConfig::DEFAULT_MAX_QUERY_LENGTH
           end
         end
 
-        if has_suspicious_patterns?(normalized_sql)
-          raise SecurityError, "Query contains suspicious patterns that may indicate SQL injection"
+        def pragma_statement?(normalized_sql)
+          normalized_sql =~ /\A\s*PRAGMA\s+[a-z0-9_]+(\([^)]*\))?\s*\z/i
         end
 
-        # Check for multiple statements
-        statements = normalized_sql.split(";").reject(&:blank?)
-        if statements.size > 1
-          raise SecurityError, "Multiple SQL statements are not allowed"
+        def valid_query_start?(normalized_sql)
+          normalized_sql =~ /\A\s*(SELECT|WITH)\s+/i
         end
 
-        if has_injection_patterns?(normalized_sql)
-          raise SecurityError, "Query contains patterns commonly associated with SQL injection attempts"
+        def detect_forbidden_keywords(normalized_sql)
+          ValidationConfig::FORBIDDEN_KEYWORDS.find do |keyword|
+            normalized_sql =~ /\b#{keyword}\b/i
+          end
         end
 
-        normalized_sql
-      end
+        def detect_subqueries(normalized_sql)
+          # Check if there are unbalanced parentheses that likely contain subqueries
+          normalized_sql.count("(") > normalized_sql.count(")")
+        end
+
+        # Method missing handler for backward compatibility with legacy method calls
+        def method_missing(method_name, *args, **kwargs, &block)
+          case method_name
+          when :has_suspicious_patterns?
+            ThreatDetector.has_suspicious_patterns?(*args)
+          when :has_injection_patterns?
+            ThreatDetector.has_injection_patterns?(*args)
+          when :normalize
+            QueryNormalizer.normalize(*args)
+          else
+            super
+          end
+        end
 
-      # Check if a query is using a specific database feature that might need special handling
-      # @param sql [String] The SQL query
-      # @param feature [Symbol] The feature to check for (:join, :subquery, :order_by, etc.)
-      # @return [Boolean] true if the feature is used in the query
-      def self.uses_feature?(sql, feature)
-        normalized = normalize(sql)
-        case feature
-        when :join
-          normalized =~ /\b(INNER|LEFT|RIGHT|FULL|CROSS)?\s*JOIN\b/i
-        when :subquery
-          # Check if there are parentheses that likely contain a subquery
-          normalized.count("(") > normalized.count(")")
-        when :order_by
-          normalized =~ /\bORDER\s+BY\b/i
-        when :group_by
-          normalized =~ /\bGROUP\s+BY\b/i
-        when :having
-          normalized =~ /\bHAVING\b/i
-        when :union
-          normalized =~ /\bUNION\b/i
-        when :window_function
-          normalized =~ /\bOVER\s*\(/i
-        else
-          false
+        def respond_to_missing?(method_name, include_private = false)
+          [ :has_suspicious_patterns?, :has_injection_patterns?, :normalize ].include?(method_name) || super
         end
       end
     end

data/lib/dbviewer/version.rb

@@ -1,3 +1,3 @@
 module Dbviewer
-  VERSION = "0.7.3"
+  VERSION = "0.7.4"
 end

data/lib/dbviewer.rb

@@ -7,13 +7,15 @@ require "dbviewer/storage/base"
 require "dbviewer/storage/in_memory_storage"
 require "dbviewer/storage/file_storage"
 
+require "dbviewer/cache/base"
+require "dbviewer/cache/in_memory"
+
 require "dbviewer/query/executor"
 require "dbviewer/query/analyzer"
 require "dbviewer/query/logger"
 require "dbviewer/query/notification_subscriber"
 require "dbviewer/query/parser"
 
-require "dbviewer/database/cache_manager"
 require "dbviewer/database/dynamic_model_factory"
 require "dbviewer/database/manager"
 require "dbviewer/database/metadata_manager"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dbviewer
 version: !ruby/object:Gem::Version
-  version: 0.7.3
+  version: 0.7.4
 platform: ruby
 authors:
 - Wailan Tirajoh
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-06-12 00:00:00.000000000 Z
+date: 2025-06-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -120,8 +120,9 @@ files:
 - app/views/layouts/dbviewer/shared/_sidebar.html.erb
 - config/routes.rb
 - lib/dbviewer.rb
+- lib/dbviewer/cache/base.rb
+- lib/dbviewer/cache/in_memory.rb
 - lib/dbviewer/configuration.rb
-- lib/dbviewer/database/cache_manager.rb
 - lib/dbviewer/database/dynamic_model_factory.rb
 - lib/dbviewer/database/manager.rb
 - lib/dbviewer/database/metadata_manager.rb
@@ -137,6 +138,10 @@ files:
 - lib/dbviewer/storage/file_storage.rb
 - lib/dbviewer/storage/in_memory_storage.rb
 - lib/dbviewer/validator/sql.rb
+- lib/dbviewer/validator/sql/query_normalizer.rb
+- lib/dbviewer/validator/sql/threat_detector.rb
+- lib/dbviewer/validator/sql/validation_config.rb
+- lib/dbviewer/validator/sql/validation_result.rb
 - lib/dbviewer/version.rb
 - lib/generators/dbviewer/install_generator.rb
 - lib/generators/dbviewer/templates/initializer.rb

data/lib/dbviewer/database/cache_manager.rb

@@ -1,78 +0,0 @@
-module Dbviewer
-  module Database
-    # CacheManager handles caching concerns for the DatabaseManager
-    # It provides an abstraction layer for managing caches efficiently
-    class CacheManager
-      # Initialize the cache manager
-      # @param cache_expiry [Integer] Cache expiration time in seconds (default: 300)
-      def initialize(cache_expiry = 300)
-        @cache_expiry = cache_expiry
-        @dynamic_models = {}
-        @table_columns_cache = {}
-        @table_metadata_cache = {}
-        @cache_last_reset = Time.now
-      end
-
-      # Get a model from cache or return nil
-      # @param table_name [String] Name of the table
-      # @return [Class, nil] The cached model or nil if not found
-      def get_model(table_name)
-        @dynamic_models[table_name]
-      end
-
-      # Store a model in the cache
-      # @param table_name [String] Name of the table
-      # @param model [Class] ActiveRecord model class
-      def store_model(table_name, model)
-        @dynamic_models[table_name] = model
-      end
-
-      # Get column information from cache
-      # @param table_name [String] Name of the table
-      # @return [Array<Hash>, nil] The cached column information or nil if not found
-      def get_columns(table_name)
-        @table_columns_cache[table_name]
-      end
-
-      # Store column information in cache
-      # @param table_name [String] Name of the table
-      # @param columns [Array<Hash>] Column information
-      def store_columns(table_name, columns)
-        @table_columns_cache[table_name] = columns
-      end
-
-      # Get table metadata from cache
-      # @param table_name [String] Name of the table
-      # @return [Hash, nil] The cached metadata or nil if not found
-      def get_metadata(table_name)
-        @table_metadata_cache[table_name]
-      end
-
-      # Store table metadata in cache
-      # @param table_name [String] Name of the table
-      # @param metadata [Hash] Table metadata
-      def store_metadata(table_name, metadata)
-        @table_metadata_cache[table_name] = metadata
-      end
-
-      # Reset caches if they've been around too long
-      def reset_if_needed
-        if Time.now - @cache_last_reset > @cache_expiry
-          @table_columns_cache = {}
-          @table_metadata_cache = {}
-          @cache_last_reset = Time.now
-          Rails.logger.debug("[DBViewer] Cache reset due to expiry after #{@cache_expiry} seconds")
-        end
-      end
-
-      # Clear all caches - useful when schema changes are detected
-      def clear_all
-        @dynamic_models = {}
-        @table_columns_cache = {}
-        @table_metadata_cache = {}
-        @cache_last_reset = Time.now
-        Rails.logger.debug("[DBViewer] All caches cleared")
-      end
-    end
-  end
-end