pghero 3.0.1 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 955b2f0edab155c06ade561b2af26b0d706dfab70380771f838ae81f1bd74fb5
-  data.tar.gz: fb5465a01d42913c74198299db7b42f3a8f35562ac8ba358a30c7e81bb1a3c1c
+  metadata.gz: eb0dc9f78c0e8095569b48f1d6d48235238ea92efa8a94326f97639d2fa30d38
+  data.tar.gz: 452e6f781c32bcb4d6b68a6b4bda62425023587c7779a88f34c0905b09ac93c9
 SHA512:
-  metadata.gz: 2bc793666bab662f974b20a4c05e5e99513af633cbd50eeed584bef4dd21ad77b01a2d36410f8456f78b3cf7e1296ffca3165e590e6d90113224acde543b4546
-  data.tar.gz: 5a1df4a76599ecc98fdc86f62553eef161a407d4ef84ccf4a2c7edfd50918284d336857a8fd5e0a3d9ae0bf6e4c826416c65572b29403c0e63e89f41f10b413f
+  metadata.gz: f22dc29263e1b6d7c008747bc6907dd125d3d8f53141c4ad030d6acd19ef0d501abeb1db148f190115ad99d4c6a6910cbb7d4b1239a14b77c8a838ae204beb17
+  data.tar.gz: 628a7ffcafd87be24626ffdd171fb4c00a77367548b6e47693cd18265177918a774f8ac02af4c27c15dfc712b41fc88c50269777b868eab412ecc954d6442fd5

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 3.1.0 (2023-01-04)
+
+- Fixed explain error message leaking data - [more info](https://github.com/ankane/pghero/issues/439)
+- Explain analyze is now opt-in - [more info](https://github.com/ankane/pghero/issues/438)
+- Added support for disabling explain and explain analyze
+- Added support for visualize without explain analyze
+- Added `explain_v2` method
+
 ## 3.0.1 (2022-10-09)
 
 - Fixed message when database user does not have permission to reset query stats

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2014-2022 Andrew Kane, 2008-2014 Heroku (initial queries)
+Copyright (c) 2014-2023 Andrew Kane, 2008-2014 Heroku (initial queries)
 
 MIT License
 

data/app/controllers/pg_hero/home_controller.rb

@@ -263,30 +263,57 @@ module PgHero
     end
 
     def explain
+      unless @explain_enabled
+        render_text "Explain not enabled", status: :bad_request
+        return
+      end
+
       @title = "Explain"
       @query = params[:query]
+      @explain_analyze_enabled = PgHero.explain_mode == "analyze"
+
       # TODO use get + token instead of post so users can share links
       # need to prevent CSRF and DoS
-      if request.post? && @query
+      if request.post? && @query.present?
         begin
-          prefix =
+          explain_options =
             case params[:commit]
             when "Analyze"
-              "ANALYZE "
+              {analyze: true}
             when "Visualize"
-              "(ANALYZE, COSTS, VERBOSE, BUFFERS, FORMAT JSON) "
+              if @explain_analyze_enabled
+                {analyze: true, costs: true, verbose: true, buffers: true, format: "json"}
+              else
+                {costs: true, verbose: true, format: "json"}
+              end
             else
-              ""
+              {}
             end
-          @explanation = @database.explain("#{prefix}#{@query}")
+
+          if explain_options[:analyze] && !@explain_analyze_enabled
+            render_text "Explain analyze not enabled", status: :bad_request
+            return
+          end
+
+          @explanation = @database.explain_v2(@query, **explain_options)
           @suggested_index = @database.suggested_indexes(queries: [@query]).first if @database.suggested_indexes_enabled?
           @visualize = params[:commit] == "Visualize"
         rescue ActiveRecord::StatementInvalid => e
-          @error = e.message
-
-          if @error.include?("bind message supplies 0 parameters")
-            @error = "Can't explain queries with bind parameters"
-          end
+          message = e.message
+          @error =
+            if message == "Unsafe statement"
+              "Unsafe statement"
+            elsif message.start_with?("PG::ProtocolViolation: ERROR:  bind message supplies 0 parameters")
+              "Can't explain queries with bind parameters"
+            elsif message.start_with?("PG::SyntaxError")
+              "Syntax error with query"
+            elsif message.start_with?("PG::QueryCanceled")
+              "Query timed out"
+            else
+              # default to a generic message
+              # since data can be extracted through the Postgres error message
+              "Error explaining query"
+            end
         end
       end
     end
@@ -409,6 +436,7 @@ module PgHero
       @query_stats_enabled = @database.query_stats_enabled?
       @system_stats_enabled = @database.system_stats_enabled?
       @replica = @database.replica?
+      @explain_enabled = PgHero.explain_enabled?
     end
 
     def set_suggested_indexes(min_average_time = 0, min_calls = 0)

data/app/views/layouts/pg_hero/application.html.erb

@@ -48,7 +48,9 @@
             <% unless @database.replica? %>
               <li class="<%= controller.action_name == "maintenance" ? "active" : "" %>"><%= link_to "Maintenance", maintenance_path %></li>
             <% end %>
-            <li class="<%= controller.action_name == "explain" ? "active" : "" %>"><%= link_to "Explain", explain_path %></li>
+            <% if @explain_enabled %>
+              <li class="<%= controller.action_name == "explain" ? "active" : "" %>"><%= link_to "Explain", explain_path %></li>
+            <% end %>
             <li class="<%= controller.action_name == "tune" ? "active" : "" %>"><%= link_to "Tune", tune_path %></li>
           </ul>
 

data/app/views/pg_hero/home/explain.html.erb

@@ -5,7 +5,9 @@
     <div class="field"><%= text_area_tag :query, @query, placeholder: "Enter a SQL query" %></div>
     <p>
       <%= submit_tag "Explain", class: "btn btn-info", style: "margin-right: 10px;" %>
-      <%= submit_tag "Analyze", class: "btn btn-danger", style: "margin-right: 10px;" %>
+      <% if @explain_analyze_enabled %>
+        <%= submit_tag "Analyze", class: "btn btn-danger", style: "margin-right: 10px;" %>
+      <% end %>
       <%= submit_tag "Visualize", class: "btn btn-danger" %>
     </p>
   <% end %>

data/app/views/pg_hero/home/show_query.html.erb

@@ -4,7 +4,7 @@
     highlightQueries()
   </script>
 
-  <% if @explainable_query %>
+  <% if @explain_enabled && @explainable_query %>
     <p>
       <%= button_to "Explain", explain_path, params: {query: @explainable_query}, form: {target: "_blank"}, class: "btn btn-info" %>
     </p>

data/lib/generators/pghero/templates/config.yml.tt

@@ -24,6 +24,9 @@ databases:
 # Minimum connections for high connections warning
 # total_connections_threshold: 500
 
+# Explain functionality
+# explain: true / false / analyze
+
 # Statement timeout for explain
 # explain_timeout_sec: 10
 

data/lib/pghero/methods/explain.rb

@@ -1,6 +1,8 @@
 module PgHero
   module Methods
     module Explain
+      # TODO remove in 4.0
+      # note: this method is not affected by the explain option
       def explain(sql)
         sql = squish(sql)
         explanation = nil
@@ -16,6 +18,23 @@ module PgHero
         explanation
       end
 
+      # TODO rename to explain in 4.0
+      # note: this method is not affected by the explain option
+      def explain_v2(sql, analyze: nil, verbose: nil, costs: nil, settings: nil, buffers: nil, wal: nil, timing: nil, summary: nil, format: "text")
+        options = []
+        add_explain_option(options, "ANALYZE", analyze)
+        add_explain_option(options, "VERBOSE", verbose)
+        add_explain_option(options, "SETTINGS", settings)
+        add_explain_option(options, "COSTS", costs)
+        add_explain_option(options, "BUFFERS", buffers)
+        add_explain_option(options, "WAL", wal)
+        add_explain_option(options, "TIMING", timing)
+        add_explain_option(options, "SUMMARY", summary)
+        options << "FORMAT #{explain_format(format)}"
+
+        explain("(#{options.join(", ")}) #{sql}")
+      end
+
       private
 
       def explain_safe?
@@ -24,6 +43,21 @@ module PgHero
       rescue ActiveRecord::StatementInvalid
         true
       end
+
+      def add_explain_option(options, name, value)
+        unless value.nil?
+          options << "#{name}#{value ? "" : " FALSE"}"
+        end
+      end
+
+      # important! validate format to prevent injection
+      def explain_format(format)
+        if ["text", "xml", "json", "yaml"].include?(format)
+          format.upcase
+        else
+          raise ArgumentError, "Unknown format"
+        end
+      end
     end
   end
 end

data/lib/pghero/methods/query_stats.rb

@@ -226,6 +226,7 @@ module PgHero
             )
             SELECT
               query,
+              query AS explainable_query,
               query_hash,
               query_stats.user,
               total_minutes,
@@ -243,7 +244,7 @@ module PgHero
           # we may be able to skip query_columns
           # in more recent versions of Postgres
           # as pg_stat_statements should be already normalized
-          select_all(query, query_columns: [:query])
+          select_all(query, query_columns: [:query, :explainable_query])
         else
           raise NotEnabled, "Query stats not enabled"
         end

data/lib/pghero/version.rb

@@ -1,3 +1,3 @@
 module PgHero
-  VERSION = "3.0.1"
+  VERSION = "3.1.0"
 end

data/lib/pghero.rb

@@ -91,6 +91,16 @@ module PgHero
       @stats_database_url ||= (file_config || {})["stats_database_url"] || ENV["PGHERO_STATS_DATABASE_URL"]
     end
 
+    # private
+    def explain_enabled?
+      explain_mode.nil? || explain_mode == true || explain_mode == "analyze"
+    end
+
+    # private
+    def explain_mode
+      @config["explain"]
+    end
+
     def visualize_url
       @visualize_url ||= config["visualize_url"] || ENV["PGHERO_VISUALIZE_URL"] || "https://tatiyants.com/pev/#/plans/new"
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pghero
 version: !ruby/object:Gem::Version
-  version: 3.0.1
+  version: 3.1.0
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-10 00:00:00.000000000 Z
+date: 2023-01-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -123,7 +123,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.1
 signing_key:
 specification_version: 4
 summary: A performance dashboard for Postgres