pghero 2.6.0 → 2.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e7334e516c44c91605f37b8fd22b57a46b147cfe4191796e48624e8a15b45ca0
-  data.tar.gz: 1235c0626b5a7f2061f2bcfce062d4716f3de7a5c198aeed489eaf9d0c7549c0
+  metadata.gz: 38e408389854af6f5a2a71ee70bc3d66c257a299b1a1fec255c279819db00482
+  data.tar.gz: 2f492cf50fd99032ec9ac9cfd03df70ef5c4d45ea55a0c14a5c608102b5aa106
 SHA512:
-  metadata.gz: 52944fa0d91437a0fd42dc4e8705a4f833a3d60937748f1cbffd03aa9471af8ce2e30db7645c419590696dcbbe0e700941b838216ae3da7a5bc211f0067188a5
-  data.tar.gz: 8ff19581f7245ebc804ef49af131c9f6eca5ed8110b878ccb8e1b15cf94c2951d88e4329e1565145e03b21c63e3798be400dc74b2655c7489dca75ba9ca4aec5
+  metadata.gz: edc72b96fb3c766f41682c22aa2287a99c610435687794d0a09395821a129709b0e464f7e9031d43cac7a6d1bc334cb419885dc32b87d9d4e58a75d810c3ba30
+  data.tar.gz: a4ad92136153cb3f607bddb0b289d3c180a6a653f7a6eac9b47ca6fe7fa04626923f7b84e80951577c9a94314c2487ac7dccb4cdd5f2483a3076473893bac13e

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 2.7.0 (2020-08-04)
+
+- Fixed CSRF vulnerability with non-session based authentication
+- Added `database`, `user`, and `query_hash` options to `reset_query_stats` method
+
 ## 2.6.0 (2020-07-09)
 
 - Added support for Postgres 13 beta 2

data/app/controllers/pg_hero/home_controller.rb

@@ -2,7 +2,7 @@ module PgHero
   class HomeController < ActionController::Base
     layout "pg_hero/application"
 
-    protect_from_forgery
+    protect_from_forgery with: :exception
 
     http_basic_authenticate_with name: PgHero.username, password: PgHero.password if PgHero.password
 

data/lib/pghero.rb

@@ -196,13 +196,13 @@ module PgHero
     # stats for old databases are not cleaned up since we can't use an index
     def clean_query_stats
       each_database do |database|
-        PgHero::QueryStats.where(database: database.id).where("captured_at < ?", 14.days.ago).delete_all
+        database.clean_query_stats
       end
     end
 
     def clean_space_stats
       each_database do |database|
-        PgHero::SpaceStats.where(database: database.id).where("captured_at < ?", 90.days.ago).delete_all
+        database.clean_space_stats
       end
     end
 

data/lib/pghero/methods/basic.rb

@@ -18,6 +18,10 @@ module PgHero
         select_one("SELECT current_database()")
       end
 
+      def current_user
+        select_one("SELECT current_user")
+      end
+
       def server_version
         @server_version ||= select_one("SHOW server_version")
       end

data/lib/pghero/methods/query_stats.rb

@@ -56,8 +56,46 @@ module PgHero
         true
       end
 
-      def reset_query_stats(raise_errors: false)
-        execute("SELECT pg_stat_statements_reset()")
+      # TODO scope by database in PgHero 3.0
+      # (add database: database_name to options)
+      def reset_query_stats(**options)
+        reset_instance_query_stats(**options)
+      end
+
+      # resets query stats for the entire instance
+      # it's possible to reset stats for a specific
+      # database, user or query hash in Postgres 12+
+      def reset_instance_query_stats(database: nil, user: nil, query_hash: nil, raise_errors: false)
+        if database || user || query_hash
+          raise PgHero::Error, "Requires PostgreSQL 12+" if server_version_num < 120000
+
+          if database
+            database_id = execute("SELECT oid FROM pg_database WHERE datname = #{quote(database)}").first.try(:[], "oid")
+            raise PgHero::Error, "Database not found: #{database}" unless database_id
+          else
+            database_id = 0
+          end
+
+          if user
+            user_id = execute("SELECT usesysid FROM pg_user WHERE usename = #{quote(user)}").first.try(:[], "usesysid")
+            raise PgHero::Error, "User not found: #{user}" unless user_id
+          else
+            user_id = 0
+          end
+
+          if query_hash
+            query_id = query_hash.to_i
+            # may not be needed
+            # but not intuitive that all query hashes are reset with 0
+            raise PgHero::Error, "Invalid query hash: #{query_hash}" if query_id == 0
+          else
+            query_id = 0
+          end
+
+          execute("SELECT pg_stat_statements_reset(#{quote(user_id.to_i)}, #{quote(database_id.to_i)}, #{quote(query_id.to_i)})")
+        else
+          execute("SELECT pg_stat_statements_reset()")
+        end
         true
       rescue ActiveRecord::StatementInvalid => e
         raise e if raise_errors
@@ -104,31 +142,32 @@ module PgHero
           query_stats[database_id] = query_stats(limit: 1000000, database: database_name)
         end
 
-        supports_query_hash = supports_query_hash?
+        query_stats = query_stats.select { |_, v| v.any? }
 
-        if query_stats.any? { |_, v| v.any? } && reset_query_stats(raise_errors: raise_errors)
+        # nothing to do
+        return if query_stats.empty?
+
+        # use mapping, not query stats here
+        # TODO add option for this, and make default in PgHero 3.0
+        if false # mapping.size == 1 && server_version_num >= 120000
           query_stats.each do |db_id, db_query_stats|
-            if db_query_stats.any?
-              values =
-                db_query_stats.map do |qs|
-                  [
-                    db_id,
-                    qs[:query],
-                    qs[:total_minutes] * 60 * 1000,
-                    qs[:calls],
-                    now,
-                    supports_query_hash ? qs[:query_hash] : nil,
-                    qs[:user]
-                  ]
-                end
-
-              columns = %w[database query total_time calls captured_at query_hash user]
-              insert_stats("pghero_query_stats", columns, values)
+            if reset_query_stats(database: mapping[db_id], raise_errors: raise_errors)
+              insert_query_stats(db_id, db_query_stats, now)
+            end
+          end
+        else
+          if reset_query_stats(raise_errors: raise_errors)
+            query_stats.each do |db_id, db_query_stats|
+              insert_query_stats(db_id, db_query_stats, now)
             end
           end
         end
       end
 
+      def clean_query_stats
+        PgHero::QueryStats.where(database: id).where("captured_at < ?", 14.days.ago).delete_all
+      end
+
       def slow_queries(query_stats: nil, **options)
         query_stats ||= self.query_stats(options)
         query_stats.select { |q| q[:calls].to_i >= slow_query_calls.to_i && q[:average_time].to_f >= slow_query_ms.to_f }
@@ -287,6 +326,24 @@ module PgHero
       def normalize_query(query)
         squish(query.to_s.gsub(/\?(, ?\?)+/, "?").gsub(/\/\*.+?\*\//, ""))
       end
+
+      def insert_query_stats(db_id, db_query_stats, now)
+        values =
+          db_query_stats.map do |qs|
+            [
+              db_id,
+              qs[:query],
+              qs[:total_minutes] * 60 * 1000,
+              qs[:calls],
+              now,
+              supports_query_hash? ? qs[:query_hash] : nil,
+              qs[:user]
+            ]
+          end
+
+        columns = %w[database query total_time calls captured_at query_hash user]
+        insert_stats("pghero_query_stats", columns, values)
+      end
     end
   end
 end

data/lib/pghero/methods/space.rb

@@ -129,6 +129,10 @@ module PgHero
         insert_stats("pghero_space_stats", columns, values) if values.any?
       end
 
+      def clean_space_stats
+        PgHero::SpaceStats.where(database: id).where("captured_at < ?", 90.days.ago).delete_all
+      end
+
       def space_stats_enabled?
         table_exists?("pghero_space_stats")
       end

data/lib/pghero/version.rb

@@ -1,3 +1,3 @@
 module PgHero
-  VERSION = "2.6.0"
+  VERSION = "2.7.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pghero
 version: !ruby/object:Gem::Version
-  version: 2.6.0
+  version: 2.7.0
 platform: ruby
 authors:
 - Andrew Kane
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-07-09 00:00:00.000000000 Z
+date: 2020-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord