dbviewer 0.9.1 → 0.9.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 897715943af7ce5d339aebb00b03bc13e1abc728c5e09d9615ec7189555cf014
-  data.tar.gz: 3ee632c6e1a6cc9fe5e5df08277520a0ea6a705e20a84bcab1756acd27a0f031
+  metadata.gz: 73a576f4a8f66beb4c9320015567379b28baf8f11d857b4e5b69ff7372ec0977
+  data.tar.gz: f408948d8b866d8a223035555d31b9b5131f7d3c21ae4d2fe3864dfbd5670d75
 SHA512:
-  metadata.gz: 010a246eb09d2a6841c01bb3b87553b89ed4050a8781572a5b016894b208688d495744a1539636e8655c6ea7778449a2d0b9c0e204b0be5d7b68c2ee6ac883e3
-  data.tar.gz: e4142876a0867ebc55655469e8b85f240cc5a48b9b45ffb1d5bec89ab38939b95e996dcba1fa9b2555658cd1276415d24d14ae57ad98554b4f1a852beb8e0632
+  metadata.gz: c973bd58d1b0e0005bcf0591d72d70d58ba917c2c4e39f1678a77011f4832e25e53d22d0153fbded40612e0d8e1bc43ef75271e64fc20f18489920e4299a8fa2
+  data.tar.gz: a464fd32e361fa3e5eab3917f72b9b1e08e98f0887e5cc396a685a0624ff71c7a74998887ec38f0ed71432535546b354c1086618269c48781806b17ea73f92fd

data/README.md

@@ -9,15 +9,16 @@ It's designed for development, debugging, and database analysis, offering a clea
 
 ## ✨ Features
 
-- **Dashboard**
-- **Table Overview**
-- **Detailed Schema Information**
-- **Entity Relationship Diagram (ERD)**
-- **Data Browsing**
-- **SQL Queries**
-- **Multiple Database Connections**
-- **PII Data Masking** - Protect sensitive data with configurable masking rules
-- **Enhanced UI Features**
+- **Dashboard** - Comprehensive database overview with statistics
+- **Table Overview** - Complete table listing with metadata
+- **Detailed Schema Information** - Column details, indexes, and constraints
+- **Entity Relationship Diagram (ERD)** - Interactive database schema visualization
+- **Data Browsing** - Paginated record viewing with search and filtering
+- **SQL Queries** - Safe SQL query execution with validation
+- **Multiple Database Connections** - Support for multiple database sources
+- **PII Data Masking** - Configurable masking for sensitive data
+- **Access Control** - Table and column-level access restrictions
+- **Query Logging** - SQL query monitoring and performance analysis
 
 ## 🧪 Demo Application
 
@@ -126,34 +127,6 @@ You can also create this file manually if you prefer.
 
 The configuration is accessed through `Dbviewer.configuration` throughout the codebase. You can also access it via `Dbviewer.config` which is an alias for backward compatibility.
 
-### Disabling DBViewer Completely
-
-You can completely disable DBViewer access by setting the `disabled` configuration option to `true`. When disabled, all DBViewer routes will return 404 (Not Found) responses:
-
-```ruby
-# config/initializers/dbviewer.rb
-Dbviewer.configure do |config|
-  # Completely disable DBViewer in production
-  config.disabled = Rails.env.production?
-
-  # Or disable unconditionally
-  # config.disabled = true
-end
-```
-
-This is useful for:
-
-- **Production environments** where you want to completely disable access to database viewing tools
-- **Security compliance** where database admin tools must be disabled in certain environments
-- **Performance** where you want to eliminate any potential overhead from DBViewer routes
-
-When disabled:
-
-- All DBViewer routes return 404 (Not Found) responses
-- No database connections are validated
-- No DBViewer middleware or concerns are executed
-- The application behaves as if DBViewer was never mounted
-
 ### Multiple Database Connections
 
 DBViewer supports working with multiple database connections in your application. This is useful for applications that connect to multiple databases or use different connection pools.
@@ -214,23 +187,32 @@ config.query_logging_mode = :file         # Store queries in a log file
 config.query_log_path = "log/dbviewer.log" # Path where query log file will be stored
 ```
 
-The file format uses one JSON entry per line, making it easy to analyze with standard tools. Query Log collector are disabled by default on non development environtment.
+The file format uses one JSON entry per line, making it easy to analyze with standard tools.
+
+**Note**: Query logging is automatically disabled in non-development environments for performance.
 
 ## 🔒 Security Features
 
-DBViewer includes several security features to protect your database:
+DBViewer includes comprehensive security features to protect your database:
+
+### Core Security
 
 - **Read-only Mode**: Only SELECT queries are allowed; all data modification operations are blocked
 - **SQL Validation**: Prevents potentially harmful operations with comprehensive validation
 - **Query Limits**: Automatic LIMIT clause added to prevent excessive data retrieval
 - **Pattern Detection**: Detection of SQL injection patterns and suspicious constructs
 - **Error Handling**: Informative error messages without exposing sensitive information
-- **HTTP Basic Authentication**: Protect access with username and password authentication
-- **Complete Disabling**: Completely disable DBViewer in production or sensitive environments
+
+### Authentication & Access Control
+
+- **HTTP Basic Authentication**: Protect access with username and password
+- **Table-Level Access Control**: Whitelist/blacklist specific tables
+- **Column-Level Blocking**: Hide sensitive columns from display
+- **Complete Disabling**: Fully disable DBViewer in production environments
 
 ### Basic Authentication
 
-You can enable HTTP Basic Authentication to secure access to DBViewer:
+Enable HTTP Basic Authentication to secure access:
 
 ```ruby
 Dbviewer.configure do |config|
@@ -242,65 +224,43 @@ end
 ```
 
 When credentials are provided, all DBViewer routes will be protected by HTTP Basic Authentication.
-Without valid credentials, users will be prompted for a username and password before they can access any DBViewer page.
 
-### Complete Disabling
+### Complete Disabling for Production
 
-For maximum security in production environments, you can completely disable DBViewer:
+For maximum security in production environments, completely disable DBViewer:
 
 ```ruby
 Dbviewer.configure do |config|
   # Completely disable DBViewer in production
   config.disabled = Rails.env.production?
+
+  # Or disable unconditionally
+  # config.disabled = true
 end
 ```
 
-When disabled, all DBViewer routes return 404 responses, making it appear as if the tool was never installed. This is the recommended approach for production systems where database admin tools should not be accessible.
+When disabled, all DBViewer routes return 404 responses, making it appear as if the tool was never installed. This is the recommended approach for production systems.
+
+⚠️ **Security Warning**: This engine provides direct access to your database contents. In production:
+
+- Use long, randomly generated passwords (e.g., `SecureRandom.hex(16)`)
+- Access DBViewer over HTTPS connections only
+- Limit access to trusted administrators only
+- Consider completely disabling in production environments
 
 ### 🔐 PII Data Masking
 
 DBViewer includes built-in support for masking Personally Identifiable Information (PII) to protect sensitive data while allowing developers to browse database contents.
 
-#### Quick Setup
-
-Configure PII masking in your Rails initializer (e.g., `config/initializers/dbviewer.rb`):
+Enable PII masking in your Rails initializer:
 
 ```ruby
-# Enable PII masking (enabled by default)
 Dbviewer.configure do |config|
   config.enable_pii_masking = true
 end
-
-# Define masking rules
-Dbviewer.configure_pii do |pii|
-  # Built-in masking types
-  pii.mask 'users.email', with: :email           # john@example.com → jo***@example.com
-  pii.mask 'users.phone', with: :phone           # +1234567890 → +1***90
-  pii.mask 'users.ssn', with: :ssn               # 123456789 → ***-**-6789
-  pii.mask 'payments.card_number', with: :credit_card  # 1234567890123456 → ****-****-****-3456
-  pii.mask 'users.api_key', with: :full_redact   # any_value → ***REDACTED***
-
-  # Custom masking with lambda
-  pii.mask 'users.salary', with: ->(value) { value ? '$***,***' : value }
-
-  # Define reusable custom masks
-  pii.custom_mask :ip_mask, ->(value) {
-    return value if value.nil?
-    parts = value.split('.')
-    "#{parts[0]}.#{parts[1]}.***.***.***"
-  }
-  pii.mask 'logs.ip_address', with: :ip_mask
-end
 ```
 
-#### Built-in Masking Types
-
-- **`:email`** - Masks email addresses while preserving domain
-- **`:phone`** - Masks phone numbers keeping first and last digits
-- **`:ssn`** - Masks Social Security Numbers showing only last 4 digits
-- **`:credit_card`** - Masks credit card numbers showing only last 4 digits
-- **`:full_redact`** - Completely redacts the value
-- **`:partial`** - Partial masking (default behavior)
+For complete setup instructions, built-in masking types, and advanced configuration examples, see [PII_MASKING.md](docs/PII_MASKING.md).
 
 ### Table and Column Access Control
 
@@ -310,35 +270,39 @@ DBViewer includes granular access control features to restrict access to specifi
 
 DBViewer supports three access control modes:
 
-- **`:none`** (default) - All tables are accessible (current behavior)
+- **`:none`** (default) - All tables are accessible
 - **`:whitelist`** - Only explicitly allowed tables are accessible (most secure)
 - **`:blacklist`** - All tables except explicitly blocked ones are accessible
 
-#### Whitelist Mode (Recommended for Production)
-
-Whitelist mode is the most secure approach, where only explicitly allowed tables can be accessed:
+#### Configuration Examples
 
-### Generate Example Configuration
-
-Use the generator to create an example PII configuration:
-
-```bash
-rails generate dbviewer:install
+```ruby
+# config/initializers/dbviewer.rb
+Dbviewer.configure do |config|
+  # Whitelist mode (recommended for production)
+  config.access_control_mode = :whitelist
+  config.allowed_tables = ['users', 'orders', 'products', 'categories']
+
+  # OR blacklist mode
+  # config.access_control_mode = :blacklist
+  # config.blocked_tables = ['admin_users', 'sensitive_data', 'audit_logs']
+
+  # Hide sensitive columns from specific tables
+  config.blocked_columns = {
+    'users' => ['password_digest', 'api_key', 'secret_token'],
+    'orders' => ['internal_notes', 'admin_comments']
+  }
+end
 ```
 
-This creates `config/initializers/dbviewer_pii_example.rb` with comprehensive examples.
+When access control is enabled, DBViewer will:
 
-For detailed PII masking documentation, see [PII_MASKING.md](docs/PII_MASKING.md).
-
-## 📝 Security Note
-
-⚠️ **Warning**: This engine provides direct access to your database contents, which contains sensitive information. Always protect it with HTTP Basic Authentication by configuring strong credentials as shown above.
+- Validate all table access in UI, API endpoints, and Entity Relationship Diagrams
+- Filter SQL queries to prevent unauthorized table access
+- Show only accessible tables and their relationships in ERDs
+- Provide informative error messages for access violations
 
-When used in production, ensure:
-
-- You use long, randomly generated passwords (e.g., with `SecureRandom.hex(16)`)
-- You access DBViewer over HTTPS connections only
-- Access is limited to trusted administrators only
+For detailed PII masking documentation, see [PII_MASKING.md](docs/PII_MASKING.md).
 
 ## 🔄 Updating DBViewer
 
@@ -355,7 +319,7 @@ The simplest way to update is using Bundler:
   gem "dbviewer"
 
   # Or specify a version
-  gem "dbviewer", "~> 0.7.2"
+  gem "dbviewer", "~> 0.9.0"
   ```
 
 - Run bundle update:

data/app/controllers/concerns/dbviewer/database_operations/query_operations.rb

@@ -5,20 +5,23 @@ module Dbviewer
 
       # Prepare the SQL query - either from params or default
       def prepare_query(table_name, query)
-        query = query.present? ? query.to_s : default_query(table_name)
+        # Sanitize and validate input
+        sanitized_query = sanitize_query_input(query)
+        final_query = sanitized_query.present? ? sanitized_query.to_s : default_query(table_name)
 
         # Validate query for security
-        unless ::Dbviewer::Validator::Sql.safe_query?(query)
-          query = default_query(table_name)
+        unless ::Dbviewer::Validator::Sql.safe_query?(final_query)
+          log_unsafe_query_attempt(final_query)
+          final_query = default_query(table_name)
           flash.now[:warning] = "Only SELECT queries are allowed. Your query contained potentially unsafe operations. Using default query instead."
         end
 
-        query
+        final_query
       end
 
       # Execute the prepared SQL query
       def execute_query(query)
-        database_manager.execute_query(@query)
+        database_manager.execute_query(query)
       end
 
       def default_query(table_name)
@@ -32,6 +35,41 @@ module Dbviewer
       def safe_quote_table_name(table_name)
         database_manager.connection.quote_table_name(table_name) rescue table_name.to_s
       end
+
+      # Sanitize query input to prevent basic injection attempts
+      def sanitize_query_input(query)
+        return nil if query.nil?
+
+        # Convert to string and strip whitespace
+        sanitized = query.to_s.strip
+
+        # Remove any null bytes that could be used to bypass security
+        sanitized = sanitized.gsub(/\x00/, "")
+
+        # Limit the query length as an additional safety measure
+        max_length = 10000
+        sanitized = sanitized.truncate(max_length) if sanitized.length > max_length
+
+        sanitized
+      end
+
+      # Log unsafe query attempts for security monitoring
+      def log_unsafe_query_attempt(query)
+        Rails.logger.warn("[DBViewer][Security] Unsafe query blocked: #{query.truncate(200)}") if defined?(Rails)
+
+        # Log to security monitoring system if available
+        if defined?(::Dbviewer::Query::Logger)
+          ::Dbviewer::Query::Logger.log_security_event(
+            event_type: "unsafe_query_blocked",
+            query_type: "user_query",
+            sql: query,
+            timestamp: Time.current
+          )
+        end
+      rescue => e
+        # Don't let logging errors break the application
+        puts "[DBViewer] Security logging error: #{e.message}"
+      end
     end
   end
 end

data/lib/dbviewer/configuration.rb

@@ -100,6 +100,23 @@ module Dbviewer
     # :none - all tables accessible (current behavior)
     attr_accessor :access_control_mode
 
+    # Security-related configuration options
+
+    # Enable comprehensive security logging for all database operations
+    attr_accessor :log_queries
+
+    # Log security threats and blocked queries
+    attr_accessor :log_security_events
+
+    # Enhanced SQL injection detection patterns
+    attr_accessor :enhanced_sql_protection
+
+    # Enforce parameterized queries when possible
+    attr_accessor :enforce_parameterized_queries
+
+    # Maximum number of security events to keep in memory
+    attr_accessor :max_security_events
+
     def initialize
       @per_page_options = [ 10, 20, 50, 100 ]
       @default_per_page = 20
@@ -132,6 +149,13 @@ module Dbviewer
       @blocked_tables = []
       @blocked_columns = {}
       @access_control_mode = :none  # Default to current behavior
+
+      # Initialize security settings
+      @log_queries = true
+      @log_security_events = true
+      @enhanced_sql_protection = true
+      @enforce_parameterized_queries = false
+      @max_security_events = 1000
     end
   end
 end

data/lib/dbviewer/query/executor.rb

@@ -15,6 +15,7 @@ module Dbviewer
       # @return [ActiveRecord::Result] Result set with columns and rows
       # @raise [StandardError] If the query is invalid or unsafe
       def execute_query(sql)
+        log_query_execution(sql, "query")
         exec_query(normalize_sql(sql))
       end
 
@@ -23,7 +24,9 @@ module Dbviewer
       # @return [ActiveRecord::Result] Result set with the PRAGMA value
       # @raise [StandardError] If the query is invalid or cannot be executed
       def execute_sqlite_pragma(pragma)
-        exec_query("PRAGMA #{pragma}")
+        pragma_sql = "PRAGMA #{pragma}"
+        log_query_execution(pragma_sql, "pragma")
+        exec_query(pragma_sql)
       end
 
       private
@@ -38,6 +41,24 @@ module Dbviewer
         normalized_sql = "#{normalized_sql} LIMIT #{max_records}" unless normalized_sql =~ /\bLIMIT\s+\d+\s*$/i
         normalized_sql
       end
+
+      # Log query execution for security monitoring
+      # @param sql [String] The SQL query being executed
+      # @param query_type [String] Type of query (query, pragma, etc.)
+      def log_query_execution(sql, query_type)
+        return unless should_log_queries?
+
+        ::Dbviewer::Query::Logger.log_security_event(
+          event_type: "query_execution",
+          query_type: query_type,
+          sql: sql,
+          timestamp: Time.current
+        )
+      end
+
+      def should_log_queries?
+        @config.respond_to?(:log_queries) ? @config.log_queries : true
+      end
     end
   end
 end

data/lib/dbviewer/query/logger.rb

@@ -72,6 +72,22 @@ module Dbviewer
         Analyzer.generate_stats(queries)
       end
 
+      # Add a security event to the logger
+      def add_security_event(event)
+        # Store security events separately for analysis
+        @security_events ||= []
+        @security_events << event
+
+        # Keep only the last 1000 security events to prevent memory issues
+        @security_events = @security_events.last(1000) if @security_events.size > 1000
+      end
+
+      # Get recent security events
+      def recent_security_events(limit: 100)
+        @security_events ||= []
+        @security_events.last(limit)
+      end
+
       class << self
         extend Forwardable
 
@@ -87,6 +103,26 @@ module Dbviewer
             query_logging_mode: query_logging_mode
           )
         end
+
+        # Log security events for monitoring and auditing
+        # @param event_type [String] Type of security event
+        # @param query_type [String] Type of query being executed
+        # @param sql [String] The SQL query
+        # @param timestamp [Time] When the event occurred
+        def log_security_event(event_type:, query_type:, sql:, timestamp:)
+          # Log to Rails logger with security prefix for easy filtering
+          Rails.logger.info("[DBViewer][Security] #{event_type.upcase}: #{query_type} - #{sql.truncate(200)}")
+
+          # Also store in memory for potential analysis
+          instance.add_security_event({
+            event_type: event_type,
+            query_type: query_type,
+            sql: sql,
+            timestamp: timestamp,
+            request_id: ActiveSupport::Notifications.instrumenter.id,
+            thread_id: Thread.current.object_id.to_s
+          })
+        end
       end
 
       private

data/lib/dbviewer/validator/sql/threat_detector.rb

@@ -22,6 +22,7 @@ module Dbviewer
           return true if has_string_concatenation?(sql)
           return true if has_excessive_quotes?(sql)
           return true if has_hex_encoding?(sql)
+          return true if has_additional_suspicious_patterns?(sql)
 
           false
         end
@@ -33,7 +34,15 @@ module Dbviewer
         # @param sql [String] Raw SQL query (before normalization)
         # @return [Boolean] true if injection patterns found, false otherwise
         def has_injection_patterns?(sql)
-          ValidationConfig::INJECTION_PATTERNS.any? do |_name, pattern|
+          patterns_to_check = ValidationConfig::INJECTION_PATTERNS
+
+          # Filter out enhanced patterns if enhanced protection is disabled
+          unless enhanced_protection_enabled?
+            enhanced_patterns = [ :information_schema, :mysql_user, :pg_user ]
+            patterns_to_check = patterns_to_check.reject { |name, _| enhanced_patterns.include?(name) }
+          end
+
+          patterns_to_check.any? do |_name, pattern|
             sql =~ pattern
           end
         end
@@ -89,6 +98,16 @@ module Dbviewer
 
         private
 
+        # Check if enhanced SQL protection is enabled
+        def enhanced_protection_enabled?
+          if defined?(Dbviewer) && Dbviewer.respond_to?(:configuration) &&
+             Dbviewer.configuration.respond_to?(:enhanced_sql_protection)
+            Dbviewer.configuration.enhanced_sql_protection
+          else
+            true # Default to enabled for security
+          end
+        end
+
         # Check for comment injection attempts
         # Comments can be used to hide malicious SQL code
         #
@@ -127,6 +146,29 @@ module Dbviewer
         def has_hex_encoding?(sql)
           ValidationConfig::SUSPICIOUS_PATTERNS[:hex_encoding] =~ sql
         end
+
+        # Check for additional suspicious patterns
+        # This method checks for newer and more sophisticated attack patterns
+        #
+        # @param sql [String] Raw SQL query
+        # @return [Boolean] true if additional suspicious patterns detected
+        def has_additional_suspicious_patterns?(sql)
+          additional_patterns = [
+            :char_function, :ascii_function, :substring_injection, :length_functions,
+            :conditional_comments, :encoded_spaces, :multiple_unions, :nested_selects,
+            :script_tags, :php_tags, :null_byte, :excessive_parentheses
+          ]
+
+          # Only check enhanced patterns if enhanced protection is enabled
+          unless enhanced_protection_enabled?
+            enhanced_suspicious_patterns = [ :ascii_function, :substring_injection, :length_functions, :char_function ]
+            additional_patterns = additional_patterns - enhanced_suspicious_patterns
+          end
+
+          additional_patterns.any? do |pattern_name|
+            ValidationConfig::SUSPICIOUS_PATTERNS[pattern_name] =~ sql
+          end
+        end
       end
     end
   end

data/lib/dbviewer/validator/sql/validation_config.rb

@@ -33,7 +33,20 @@ module Dbviewer
         SUSPICIOUS_PATTERNS = {
           comment_injection: /\s+--|\/\*/,
           string_concatenation: /\|\||CONCAT\s*\(/i,
-          hex_encoding: /0x[0-9a-f]{16,}/i
+          hex_encoding: /0x[0-9a-f]{16,}/i,
+          # Additional suspicious patterns
+          char_function: /\bCHAR\s*\(\s*\d+(\s*,\s*\d+){4,}/i, # Only flag when many parameters like CHAR(65,68,77,73,78)
+          ascii_function: /\bASCII\s*\(/i,
+          substring_injection: /\bSUBSTRING\s*\(\s*(@@|version|user|database)/i, # Only when extracting system info
+          length_functions: /\b(LENGTH|LEN|CHAR_LENGTH)\s*\(\s*(@@|version|user|database)/i, # Only on system functions
+          conditional_comments: /\/\*!\d+/,
+          encoded_spaces: /%20|%09|%0a|%0d/i,
+          multiple_unions: /\bUNION\b.*\bUNION\b/i,
+          nested_selects: /\bSELECT\b.*\bSELECT\b.*\bSELECT\b/i,
+          script_tags: /<script|<\/script>/i,
+          php_tags: /<\?php|<\?=/i,
+          null_byte: /\x00/,
+          excessive_parentheses: /\({5,}|\){5,}/
         }.freeze
 
         # SQL injection attack patterns - these are definitive threats
@@ -46,7 +59,19 @@ module Dbviewer
           version_function: /version\(\)/i,
           file_access: /\bLOAD_FILE\s*\(/i,
           outfile_access: /\bINTO\s+OUTFILE\b/i,
-          dumpfile_access: /\bINTO\s+DUMPFILE\b/i
+          dumpfile_access: /\bINTO\s+DUMPFILE\b/i,
+          # Additional injection patterns for enhanced security
+          sleep_injection: /\b(SLEEP|WAITFOR|DELAY)\s*\(/i,
+          benchmark_injection: /\bBENCHMARK\s*\(/i,
+          information_schema: /\binformation_schema\./i,
+          mysql_user: /\bmysql\.user\b/i,
+          pg_user: /\bpg_user\b/i,
+          system_functions: /\b(system|exec|shell|cmd)\s*\(/i,
+          database_functions: /\b(database|schema|user|current_user)\s*\(\s*\)/i,
+          stacked_queries: /;\s*(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE)/i,
+          time_based_blind: /\bIF\s*\(\s*\d+\s*=\s*\d+\s*,\s*SLEEP\s*\(/i,
+          error_based: /\bCONVERT\s*\(\s*INT\s*,/i,
+          xpath_injection: /\bEXTRACTVALUE\s*\(/i
         }.freeze
 
         # Database feature detection patterns for query analysis

data/lib/dbviewer/validator/sql.rb

@@ -46,24 +46,28 @@ module Dbviewer
           basic_validation_result = perform_basic_validation(sql)
           return basic_validation_result if basic_validation_result
 
-          # Step 2: Security threat detection (before normalization)
+          # Step 2: Normalize the query early for forbidden keyword checks
+          normalized_sql = QueryNormalizer.normalize(sql)
+
+          # Step 3: Check for forbidden keywords in multiple statements first
+          forbidden_keyword_result = validate_forbidden_keywords_in_statements(normalized_sql)
+          return forbidden_keyword_result if forbidden_keyword_result
+
+          # Step 4: Security threat detection (on original SQL before normalization)
           threat_validation_result = perform_threat_validation(sql)
           return threat_validation_result if threat_validation_result
 
-          # Step 3: Normalize the query
-          normalized_sql = QueryNormalizer.normalize(sql)
-
-          # Step 4: Handle special cases (PRAGMA) - only if allowed
+          # Step 5: Handle special cases (PRAGMA) - only if allowed
           if allow_pragma
             pragma_result = handle_pragma_statements(normalized_sql)
             return pragma_result if pragma_result
           end
 
-          # Step 5: Validate query structure and keywords
+          # Step 6: Validate query structure and keywords
           structure_validation_result = perform_structure_validation(normalized_sql)
           return structure_validation_result if structure_validation_result
 
-          # Step 6: Check for multiple statements
+          # Step 7: Check for multiple statements
           multiple_statements_result = validate_single_statement(normalized_sql)
           return multiple_statements_result if multiple_statements_result
 
@@ -97,6 +101,7 @@ module Dbviewer
         # Perform security threat detection
         def perform_threat_validation(sql)
           if ThreatDetector.has_suspicious_patterns?(sql)
+            log_security_threat("suspicious_patterns", sql)
             return ValidationResult.new(
               valid?: false,
               error_message: "Query contains suspicious patterns that may indicate SQL injection"
@@ -104,6 +109,7 @@ module Dbviewer
           end
 
           if ThreatDetector.has_injection_patterns?(sql)
+            log_security_threat("injection_patterns", sql)
             return ValidationResult.new(
               valid?: false,
               error_message: "Query contains patterns commonly associated with SQL injection attempts"
@@ -145,6 +151,32 @@ module Dbviewer
           nil # Structure validation passed
         end
 
+        # Validate forbidden keywords specifically in multiple statements
+        def validate_forbidden_keywords_in_statements(normalized_sql)
+          statements = normalized_sql.split(";").reject { |s| s.nil? || s.strip.empty? }
+
+          if statements.size > 1
+            # Check each statement for forbidden keywords
+            statements.each do |statement|
+              forbidden_keyword = detect_forbidden_keywords(statement.strip)
+              if forbidden_keyword
+                return ValidationResult.new(
+                  valid?: false,
+                  error_message: "Forbidden keyword '#{forbidden_keyword}' detected in query"
+                )
+              end
+            end
+
+            # If multiple statements but no forbidden keywords, still reject for multiple statements
+            return ValidationResult.new(
+              valid?: false,
+              error_message: "Multiple SQL statements are not allowed"
+            )
+          end
+
+          nil # Single statement, proceed with normal validation
+        end
+
         # Validate that query contains only a single statement
         def validate_single_statement(normalized_sql)
           statements = normalized_sql.split(";").reject { |s| s.nil? || s.strip.empty? }
@@ -204,6 +236,26 @@ module Dbviewer
         def respond_to_missing?(method_name, include_private = false)
           [ :has_suspicious_patterns?, :has_injection_patterns?, :normalize ].include?(method_name) || super
         end
+
+        # Log security threats for monitoring and analysis
+        def log_security_threat(threat_type, sql)
+          if defined?(Rails) && Rails.logger
+            Rails.logger.warn("[DBViewer][Security] SQL threat detected - #{threat_type}: #{sql.truncate(200)}")
+          end
+
+          # Also log to query logger if available
+          if defined?(::Dbviewer::Query::Logger)
+            ::Dbviewer::Query::Logger.log_security_event(
+              event_type: "threat_detected",
+              query_type: threat_type,
+              sql: sql,
+              timestamp: Time.current
+            )
+          end
+        rescue => e
+          # Don't let logging errors break the validation
+          puts "[DBViewer] Security logging error: #{e.message}"
+        end
       end
     end
   end

data/lib/dbviewer/version.rb

@@ -1,3 +1,3 @@
 module Dbviewer
-  VERSION = "0.9.1"
+  VERSION = "0.9.2"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dbviewer
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.9.2
 platform: ruby
 authors:
 - Wailan Tirajoh