query_console 0.2.6 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3a47be0c8cd2c38f02425d2bbdd1a077c8dc2ca7903a336cf05bbc5d39042e86
-  data.tar.gz: e7f5487b5ea34bc21280d87181a5b74afcc4b12f9f592894801838bc84d82686
+  metadata.gz: 19231f63422842fbe797464f96c6208d308ec868d8cb19872cceabd32a132c1a
+  data.tar.gz: edeedcb088b35135eabb6b4a445b315832ce0a500424f7718d84300dcfb3e08d
 SHA512:
-  metadata.gz: b5987fca8610f57bc4f83eee25adb96bd073a72e2dbe34fc7e4c989d11281f89812c9d2d8ced545ee22a2f501e800ad2292e429b889c4194aedf5eb6ffa13e78
-  data.tar.gz: dc2f080870957fac2ac78a764036e843b3af76b6f2c85ce3385a14e2b9dc563312f7dac1defa1a757d36a6db3bf0633230b338a10c31b3f0f9326710cd47b58a
+  metadata.gz: be36ac0c732088e1fc1a683b435dc50597791fe5a46fe917c116de1464f34aa378f70701a09095a52bd677ee6b0b94f5fe758be4e302a1af0ae6d3697f5337a1
+  data.tar.gz: 9f5610145cb80d7557c5eb86f1655fb07483397e05616667a450a0b575ffd3c082728795b54c0db189a58dfe12bc46aeb46cdfa3d51ce33c20bbc6dd2321b513

data/app/controllers/query_console/queries_controller.rb

@@ -16,6 +16,27 @@ module QueryConsole
         return
       end
 
+      # SECURITY FIX: Server-side DML confirmation check
+      # Validate DML confirmation before execution
+      config = QueryConsole.configuration
+      if config.enable_dml
+        # Quick check if SQL contains DML keywords
+        normalized_sql = sql.strip.downcase
+        if normalized_sql.match?(/\A(insert|update|delete|merge)\b/)
+          # This is a DML query - require confirmation
+          unless params[:dml_confirmed] == 'true'
+            @result = Runner::QueryResult.new(
+              error: "DML query execution requires user confirmation. Please confirm the operation to proceed."
+            )
+            respond_to do |format|
+              format.turbo_stream { render turbo_stream: turbo_stream.replace("query-results", partial: "results", locals: { result: @result, is_dml: false }) }
+              format.html { render :_results, layout: false }
+            end
+            return
+          end
+        end
+      end
+
       # Execute the query
       runner = Runner.new(sql)
       @result = runner.execute

data/app/services/query_console/audit_logger.rb

@@ -39,17 +39,33 @@ module QueryConsole
     end
 
     def self.is_dml_query?(sql)
-      sql.to_s.strip.downcase.match?(/\A(insert|update|delete|merge)\b/)
+      normalized = sql.to_s.strip.downcase
+      # Check if it's a top-level DML query
+      is_top_level = normalized.match?(/\A(insert|update|delete|merge)\b/)
+      # SECURITY FIX: Also check for DML anywhere in the query (subqueries)
+      has_dml_anywhere = normalized.match?(/\b(insert|update|delete|merge)\b/)
+      
+      # Return true if DML detected anywhere (for audit purposes)
+      is_top_level || has_dml_anywhere
     end
 
     def self.determine_query_type(sql)
-      case sql.to_s.strip.downcase
+      normalized = sql.to_s.strip.downcase
+      
+      # SECURITY FIX: Check for DML anywhere in query, not just at start
+      # This ensures subquery DML is properly logged
+      if normalized.match?(/\b(insert|update|delete|merge)\b/)
+        # Determine which DML operation (prefer top-level, but detect any)
+        return "INSERT" if normalized.match?(/\binsert\b/)
+        return "UPDATE" if normalized.match?(/\bupdate\b/)
+        return "DELETE" if normalized.match?(/\bdelete\b/)
+        return "MERGE" if normalized.match?(/\bmerge\b/)
+      end
+      
+      # If no DML, check for SELECT/WITH
+      case normalized
       when /\Aselect\b/ then "SELECT"
       when /\Awith\b/ then "WITH"
-      when /\Ainsert\b/ then "INSERT"
-      when /\Aupdate\b/ then "UPDATE"
-      when /\Adelete\b/ then "DELETE"
-      when /\Amerge\b/ then "MERGE"
       else "UNKNOWN"
       end
     end

data/app/services/query_console/sql_validator.rb

@@ -67,11 +67,24 @@ module QueryConsole
       # Check for forbidden keywords
       normalized_query = sanitized.downcase
       
-      # Filter forbidden keywords based on DML enablement
-      effective_forbidden = if @config.enable_dml
-        @config.forbidden_keywords.reject { |kw| dml_keywords.include?(kw) || kw == 'replace' || kw == 'into' }
+      # SECURITY FIX: When DML is enabled, we still need to prevent DML in subqueries
+      # Only allow DML at the top level (start of query)
+      if @config.enable_dml
+        # Check if this is a top-level DML query
+        is_top_level_dml = normalized_start.match?(/\A(insert|update|delete|merge)\b/)
+        
+        # If DML keywords appear anywhere else (subqueries, CTEs), block them
+        if !is_top_level_dml && normalized_query.match?(/\b(insert|update|delete|merge)\b/)
+          return ValidationResult.new(
+            valid: false,
+            error: "DML keywords (INSERT, UPDATE, DELETE, MERGE) are not allowed in subqueries or WITH clauses"
+          )
+        end
+        
+        # Filter forbidden keywords - only remove DML from forbidden list for top-level queries
+        effective_forbidden = @config.forbidden_keywords.reject { |kw| dml_keywords.include?(kw) || kw == 'replace' || kw == 'into' }
       else
-        @config.forbidden_keywords
+        effective_forbidden = @config.forbidden_keywords
       end
       
       forbidden = effective_forbidden.find do |keyword|
@@ -86,7 +99,7 @@ module QueryConsole
         )
       end
 
-      # Detect if this is a DML query
+      # Detect if this is a DML query (top-level only)
       is_dml_query = sanitized.downcase.match?(/\A(insert|update|delete|merge)\b/)
 
       ValidationResult.new(valid: true, sanitized_sql: sanitized, is_dml: is_dml_query)

data/app/views/query_console/queries/new.html.erb

@@ -597,10 +597,19 @@
         form.method = 'POST'
         form.action = '<%= run_path %>'
         form.setAttribute('data-turbo-frame', 'query-results')
-        form.innerHTML = `
+        
+        // SECURITY FIX: Add dml_confirmed parameter for server-side verification
+        let formHTML = `
           <input type="hidden" name="sql" value="${this.escapeHtml(sql)}">
           <input type="hidden" name="authenticity_token" value="${document.querySelector('meta[name=csrf-token]').content}">
         `
+        
+        // If DML query was confirmed, add confirmation parameter
+        if (this.isDmlQuery(sql)) {
+          formHTML += `<input type="hidden" name="dml_confirmed" value="true">`
+        }
+        
+        form.innerHTML = formHTML
         document.body.appendChild(form)
         form.requestSubmit()
         document.body.removeChild(form)
@@ -790,7 +799,7 @@
           history.map((item, index) => `
             <li data-action="click->history#load" data-index="${index}">
               <div style="font-size: 12px; color: #6c757d;">${new Date(item.timestamp).toLocaleString()}</div>
-              <div style="font-size: 13px; margin-top: 4px;">${this.truncate(item.sql, 100)}</div>
+              <div style="font-size: 13px; margin-top: 4px;">${this.escapeHtml(this.truncate(item.sql, 100))}</div>
             </li>
           `).join('') :
           '<li style="color: #6c757d; text-align: center; padding: 20px;">No query history</li>'
@@ -830,6 +839,13 @@
         localStorage.setItem(this.storageKeyValue, JSON.stringify(history))
       }
       
+      // SECURITY FIX: Escape HTML to prevent XSS
+      escapeHtml(text) {
+        const div = document.createElement('div')
+        div.textContent = text
+        return div.innerHTML
+      }
+      
       truncate(str, length) {
         return str.length > length ? str.substring(0, length) + '...' : str
       }

data/lib/query_console/version.rb

@@ -1,3 +1,3 @@
 module QueryConsole
-  VERSION = "0.2.6"
+  VERSION = "0.3.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: query_console
 version: !ruby/object:Gem::Version
-  version: 0.2.6
+  version: 0.3.0
 platform: ruby
 authors:
 - Johnson Gnanasekar