pg_reports 0.5.1 → 0.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +38 -5
- data/README.md +2 -0
- data/lib/pg_reports/modules/system.rb +20 -9
- data/lib/pg_reports/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bbebda26a25f873ffa2bcaf1ec12864c8c191c23fa9b40bf926080638e3de262
|
|
4
|
+
data.tar.gz: 0431116a344855d38207e8b99a85f0d0bb1227fa15590259cbe8faace66befb3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e8da95a415b18d646a5fa10a798c3a7291ff79ec03b62b6c491892359ca6bf5fbf45fd055b7537a81d9bb0453a2df1af33881f7fb246e52c1089ab9390604a1f
|
|
7
|
+
data.tar.gz: 8d92af6481357ccae7f01a7c4ea13ace7c827d5bdc1c745d69af8ef45365c343fd7146cafade39f3edcaf83c5976947cd079b3398924ce06b9db2b6047b6b62a
|
data/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [0.5.2] - 2026-02-09
|
|
11
|
+
|
|
12
|
+
### Fixed
|
|
13
|
+
|
|
14
|
+
- **pg_stat_statements detection no longer requires `pg_read_all_settings` role**:
|
|
15
|
+
- Changed `pg_stat_statements_preloaded?` to query pg_stat_statements directly instead of checking `shared_preload_libraries`
|
|
16
|
+
- Fixes permission denied errors in environments like CloudnativePG where regular users lack access to `shared_preload_libraries` setting
|
|
17
|
+
- Works seamlessly with Kubernetes PostgreSQL operators and managed databases with restricted permissions
|
|
18
|
+
- Improved error messages in `enable_pg_stat_statements!` method
|
|
19
|
+
|
|
10
20
|
## [0.5.1] - 2026-02-09
|
|
11
21
|
|
|
12
22
|
### Added
|
|
@@ -15,23 +25,46 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
15
25
|
- New config option `allow_raw_query_execution` (default: `false`)
|
|
16
26
|
- Environment variable support: `PG_REPORTS_ALLOW_RAW_QUERY_EXECUTION`
|
|
17
27
|
- Security documentation in README with examples and best practices
|
|
18
|
-
- Frontend UI: disabled buttons with tooltips when feature is off
|
|
19
|
-
- JavaScript validation in `executeQuery()` and `executeExplainAnalyze()` functions
|
|
20
28
|
- Configuration tests for new security setting
|
|
29
|
+
- **Hash-based Query Execution System** - prevents SQL injection and query tampering:
|
|
30
|
+
- Backend generates SHA256 hash for each query and stores in Rails.cache (1-hour TTL)
|
|
31
|
+
- Frontend sends only hash (not query text) to execution endpoints
|
|
32
|
+
- Backend retrieves and validates original query by hash
|
|
33
|
+
- Strict validation: only SELECT queries, no dangerous keywords, no multiple statements
|
|
34
|
+
- Cache failure handling with clear error messages
|
|
35
|
+
- Protection against nested SQL injection attempts
|
|
36
|
+
- **Enhanced Error Handling** - improved user feedback:
|
|
37
|
+
- Active warning messages instead of disabled buttons when feature is off
|
|
38
|
+
- Toast notifications with configuration instructions
|
|
39
|
+
- Detailed error messages in modal with code examples
|
|
40
|
+
- Clear messaging when Redis/cache backend is unavailable
|
|
21
41
|
|
|
22
42
|
### Changed
|
|
23
43
|
|
|
24
44
|
- **BREAKING CHANGE**: `execute_query` and `explain_analyze` endpoints now require explicit opt-in
|
|
25
45
|
- Both endpoints return 403 Forbidden when `allow_raw_query_execution` is `false` (default)
|
|
26
|
-
- Dashboard "Execute Query" and "EXPLAIN ANALYZE" buttons disabled by default
|
|
27
46
|
- To restore previous behavior, add to initializer: `config.allow_raw_query_execution = true`
|
|
28
47
|
- **Migration path**: Users must explicitly enable this feature if they were using Query Analyzer
|
|
48
|
+
- **UI/UX Improvements**:
|
|
49
|
+
- Query Analyzer modal size increased: width 600px→900px, height 80vh→90vh for better query visibility
|
|
50
|
+
- "EXPLAIN ANALYZE", "Execute Query", and "Create Migration" buttons now show active warnings when clicked (instead of being disabled)
|
|
51
|
+
- Warning messages include configuration instructions with code examples
|
|
52
|
+
- Better visual feedback for disabled features
|
|
53
|
+
- **Query Execution Flow**:
|
|
54
|
+
- `execute_query` and `explain_analyze` endpoints now accept `query_hash` parameter (instead of `query`)
|
|
55
|
+
- New helper methods: `store_query_with_hash()` and `retrieve_query_by_hash()`
|
|
56
|
+
- Frontend stores `data-query-hash` attribute on EXPLAIN ANALYZE buttons
|
|
57
|
+
- JavaScript validation happens client-side before API calls
|
|
29
58
|
|
|
30
59
|
### Security
|
|
31
60
|
|
|
32
|
-
- Raw SQL execution from dashboard is now **disabled by default** to prevent unauthorized data access
|
|
61
|
+
- **Critical Security Enhancement**: Raw SQL execution from dashboard is now **disabled by default** to prevent unauthorized data access
|
|
62
|
+
- **Query Tampering Prevention**: Frontend cannot modify queries - hash-based verification ensures query integrity
|
|
63
|
+
- **SQL Injection Protection**: Strict validation on backend prevents any non-SELECT queries or dangerous keywords
|
|
64
|
+
- **Multiple Statement Prevention**: Semicolon detection blocks SQL injection attempts with multiple statements
|
|
65
|
+
- **Cache Dependency**: Query execution temporarily disabled if Redis/cache backend is unavailable (fail-secure)
|
|
33
66
|
- Recommended setup: only enable in development/staging environments
|
|
34
|
-
- Existing safety measures (
|
|
67
|
+
- Existing safety measures (automatic LIMIT) still apply when enabled
|
|
35
68
|
|
|
36
69
|
## [0.5.0] - 2026-02-07
|
|
37
70
|
|
data/README.md
CHANGED
|
@@ -277,6 +277,8 @@ For query analysis, you need to enable `pg_stat_statements`:
|
|
|
277
277
|
PgReports.enable_pg_stat_statements!
|
|
278
278
|
```
|
|
279
279
|
|
|
280
|
+
> **Note**: PgReports does **not** require the `pg_read_all_settings` role. It detects `pg_stat_statements` availability by directly querying the extension, making it compatible with CloudnativePG, managed databases, and other environments with restricted permissions.
|
|
281
|
+
|
|
280
282
|
## Report Object
|
|
281
283
|
|
|
282
284
|
Every method returns a `PgReports::Report` object:
|
|
@@ -25,14 +25,19 @@ module PgReports
|
|
|
25
25
|
result.first&.fetch("available", false) || false
|
|
26
26
|
end
|
|
27
27
|
|
|
28
|
-
# Check if pg_stat_statements is
|
|
28
|
+
# Check if pg_stat_statements is preloaded and functional
|
|
29
29
|
# @return [Boolean] Whether pg_stat_statements is preloaded
|
|
30
|
+
# @note This method tries to query pg_stat_statements directly instead of
|
|
31
|
+
# checking shared_preload_libraries, which requires pg_read_all_settings role
|
|
30
32
|
def pg_stat_statements_preloaded?
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
33
|
+
# If extension is not installed, it can't be preloaded
|
|
34
|
+
return false unless pg_stat_statements_available?
|
|
35
|
+
|
|
36
|
+
# Try to query pg_stat_statements - if it works, it's properly preloaded
|
|
37
|
+
executor.execute("SELECT 1 FROM pg_stat_statements LIMIT 1")
|
|
38
|
+
true
|
|
39
|
+
rescue
|
|
40
|
+
false
|
|
36
41
|
end
|
|
37
42
|
|
|
38
43
|
# Get pg_stat_statements status details
|
|
@@ -94,14 +99,20 @@ module PgReports
|
|
|
94
99
|
executor.execute("CREATE EXTENSION IF NOT EXISTS pg_stat_statements")
|
|
95
100
|
|
|
96
101
|
# Verify it worked
|
|
97
|
-
if pg_stat_statements_available?
|
|
102
|
+
if pg_stat_statements_available? && pg_stat_statements_preloaded?
|
|
98
103
|
{success: true, message: "pg_stat_statements extension created successfully"}
|
|
99
|
-
|
|
104
|
+
elsif pg_stat_statements_available?
|
|
100
105
|
{
|
|
101
106
|
success: false,
|
|
102
|
-
message: "Extension created but not
|
|
107
|
+
message: "Extension created but not preloaded. Add 'pg_stat_statements' to shared_preload_libraries in postgresql.conf and restart PostgreSQL.",
|
|
103
108
|
requires_restart: true
|
|
104
109
|
}
|
|
110
|
+
else
|
|
111
|
+
{
|
|
112
|
+
success: false,
|
|
113
|
+
message: "Failed to create extension. Check database permissions.",
|
|
114
|
+
requires_restart: false
|
|
115
|
+
}
|
|
105
116
|
end
|
|
106
117
|
rescue => e
|
|
107
118
|
error_message = e.message
|
data/lib/pg_reports/version.rb
CHANGED