query_guard 0.4.1 → 0.5.0

data/lib/query_guard/exporter.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "json"
+require "uri"
+require "securerandom"
+require "digest"
+
+module QueryGuard
+  class Exporter
+    def initialize(config)
+      @config = config
+    end
+
+    def enabled?
+      @config.base_url && @config.api_key && @config.project
+    end
+
+    def export!(stats)
+      return unless enabled?
+
+      payload = build_payload(stats)
+      return if payload[:events].empty?
+
+      if @config.export_mode.to_sym == :async
+        Thread.new { post(payload) }
+      else
+        post(payload)
+      end
+    end
+
+    private
+
+    def build_payload(stats)
+      events = []
+
+      # Query events
+      if @config.export_queries.to_sym == :all
+        stats.fetch(:queries, []).each do |q|
+          events << {
+            type: "query",
+            statement: q[:sql],
+            durationMs: q[:duration_ms],
+            timestamp: q[:occurred_at],
+            originApp: @config.origin_app,
+            fingerprint: fingerprint(q[:sql]),
+            metadata: stats[:request] || {}
+          }
+        end
+      end
+
+      # Threat events from violations
+      stats.fetch(:violations, []).each do |v|
+        events << violation_to_threat(v, stats)
+      end
+
+      {
+        projectId: @config.project,
+        events: events.compact
+      }
+    end
+
+    def fingerprint(sql)
+      # cheap “normalized” hash
+      normalized = sql.to_s.gsub(/\s+/, " ").strip
+      Digest::SHA1.hexdigest(normalized)
+    end
+
+    def violation_to_threat(v, stats)
+      case v[:type]&.to_sym
+      when :slow_query
+        {
+          type: "threat",
+          severity: "medium",
+          threatType: "SlowQuery",
+          description: "Slow query #{v[:duration_ms]}ms",
+          timestamp: Time.now.utc.iso8601,
+          originApp: @config.origin_app,
+          metadata: {
+            sql: v[:sql],
+            request: stats[:request] || {}
+          }
+        }
+      when :select_star
+        {
+          type: "threat",
+          severity: "low",
+          threatType: "SelectStar",
+          description: "SELECT * detected",
+          timestamp: Time.now.utc.iso8601,
+          originApp: @config.origin_app,
+          metadata: {
+            sql: v[:sql],
+            request: stats[:request] || {}
+          }
+        }
+      when :too_many_queries
+        {
+          type: "threat",
+          severity: "high",
+          threatType: "TooManyQueries",
+          description: "Query count #{v[:count]} exceeded limit #{v[:limit]}",
+          timestamp: Time.now.utc.iso8601,
+          originApp: @config.origin_app,
+          metadata: { request: stats[:request] || {} }
+        }
+      end
+    end
+
+    def post(payload)
+      uri = URI.join(@config.base_url.to_s, "/api/v1/events")
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = (uri.scheme == "https")
+      req = Net::HTTP::Post.new(uri.request_uri)
+      req["Content-Type"] = "application/json"
+      req["Authorization"] = "Bearer #{@config.api_key}"
+      req.body = JSON.generate(payload)
+      http.request(req)
+    rescue => e
+      # Don’t crash the app if monitoring fails
+      warn "#{@config.log_prefix} export failed: #{e.class}: #{e.message}"
+    end
+  end
+end

data/lib/query_guard/fingerprint.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+require "digest"
+
+module QueryGuard
+  # SQL fingerprinting and statistics module.
+  # Normalizes SQL queries and tracks per-fingerprint statistics.
+  module Fingerprint
+    class << self
+      # Generate a stable fingerprint for a SQL query by:
+      # - Normalizing whitespace
+      # - Replacing string literals with ?
+      # - Replacing numeric literals with ?
+      # - Replacing IN (...) lists with IN (?)
+      # Returns a SHA1 hash of the normalized query
+      def generate(sql)
+        normalized = normalize(sql)
+        Digest::SHA1.hexdigest(normalized)
+      end
+
+      # Normalize SQL by removing all literals and standardizing whitespace
+      def normalize(sql)
+        s = sql.to_s.dup
+        
+        # Replace string literals (both single and double quotes)
+        s.gsub!(/'(?:''|[^'])*'/, "?")
+        s.gsub!(/"(?:""|[^"])*"/, "?")
+        
+        # Replace numeric literals (integers and floats)
+        s.gsub!(/\b\d+\.?\d*\b/, "?")
+        
+        # Replace IN (...) with IN (?)
+        s.gsub!(/IN\s*\([^)]+\)/i, "IN (?)")
+        
+        # Normalize whitespace
+        s.gsub!(/\s+/, " ")
+        
+        s.strip.downcase
+      end
+
+      # Get or initialize the stats store for the current process
+      def stats
+        @stats ||= Hash.new do |h, fp|
+          h[fp] = {
+            count: 0,
+            total_duration_ms: 0.0,
+            min_duration_ms: Float::INFINITY,
+            max_duration_ms: 0.0,
+            first_seen_at: Time.now,
+            last_seen_at: Time.now
+          }
+        end
+      end
+
+      # Record a query execution
+      def record(sql, duration_ms)
+        fp = generate(sql)
+        stat = stats[fp]
+        
+        stat[:count] += 1
+        stat[:total_duration_ms] += duration_ms
+        stat[:min_duration_ms] = [stat[:min_duration_ms], duration_ms].min
+        stat[:max_duration_ms] = [stat[:max_duration_ms], duration_ms].max
+        stat[:last_seen_at] = Time.now
+        
+        fp
+      end
+
+      # Get stats for a specific fingerprint
+      def stats_for(fingerprint)
+        stats[fingerprint]
+      end
+
+      # Get all fingerprints sorted by frequency
+      def top_by_count(limit = 10)
+        stats.sort_by { |_fp, s| -s[:count] }.first(limit).to_h
+      end
+
+      # Get all fingerprints sorted by total duration
+      def top_by_duration(limit = 10)
+        stats.sort_by { |_fp, s| -s[:total_duration_ms] }.first(limit).to_h
+      end
+
+      # Get all fingerprints sorted by average duration
+      def top_by_avg_duration(limit = 10)
+        stats.sort_by { |_fp, s| 
+          s[:count] > 0 ? -(s[:total_duration_ms] / s[:count]) : 0
+        }.first(limit).to_h
+      end
+
+      # Reset all stats (useful for testing)
+      def reset!
+        @stats = nil
+      end
+    end
+  end
+end

data/lib/query_guard/middleware.rb

@@ -1,24 +1,63 @@
 # frozen_string_literal: true
+require "securerandom"
+require "query_guard/security"
+
 module QueryGuard
   class Error < StandardError; end
 
   class Middleware
+    class BodyProxy
+      def initialize(body, stats)
+        @body = body
+        @stats = stats
+      end
+
+      def each
+        @body.each do |chunk|
+          @stats[:response_bytes] += chunk.to_s.bytesize
+          yield chunk
+        end
+      end
+
+      def close
+        @body.close if @body.respond_to?(:close)
+      end
+    end
+
     def initialize(app, config)
       @app = app
       @config = config
     end
 
     def call(env)
-      unless @config.enabled?(rails_env)
-        return @app.call(env)
-      end
+      return @app.call(env) unless @config.enabled?(rails_env)
 
-      Thread.current[:query_guard_stats] = { count: 0, total_duration_ms: 0.0, violations: [] }
+      # Initialize new Context for this request
+      context = Core::Context.new
+      Thread.current[:query_guard_context] = context
+      
+      # Legacy: Also initialize old stats hash for backward compatibility
+      Thread.current[:query_guard_stats] = { 
+        count: 0, 
+        total_duration_ms: 0.0, 
+        violations: [],
+        response_bytes: 0 
+      }
 
       status, headers, body = @app.call(env)
-      check_and_report!
-      [status, headers, body]
+      
+      # Wrap body to track response bytes
+      proxied_body = BodyProxy.new(body, Thread.current[:query_guard_stats])
+      
+      # Run all registered analyzers
+      findings = @config.analyzer_registry.analyze(context, @config)
+      
+      # Check and report findings
+      check_and_report!(context, findings)
+      
+      [status, headers, proxied_body]
     ensure
+      Thread.current[:query_guard_context] = nil
       Thread.current[:query_guard_stats] = nil
     end
 
@@ -40,20 +79,48 @@ module QueryGuard
       end
     end
 
-    def check_and_report!
+    def check_and_report!(context, findings)
+      # Check findings and legacy stats for backward compatibility
       stats = Thread.current[:query_guard_stats] || { count: 0, violations: [] }
-      violations = stats[:violations].dup
+      legacy_violations = stats[:violations].dup
 
-      if @config.max_queries_per_request && stats[:count] > @config.max_queries_per_request
-        violations << { type: :too_many_queries, count: stats[:count], limit: @config.max_queries_per_request }
+      return if findings.empty? && legacy_violations.empty?
+
+      # Log all findings
+      findings.each do |finding|
+        message = format_finding_message(finding)
+        logger.warn(message)
+      end
+
+      # Log legacy violations for compatibility
+      legacy_violations.each do |v|
+        message = format_legacy_message(v, stats)
+        logger.warn(message)
       end
 
-      return if violations.empty?
+      # Raise if configured
+      if @config.raise_on_violation && (!findings.empty? || !legacy_violations.empty?)
+        message = format_summary_message(findings, stats)
+        raise QueryGuard::Error, message
+      end
+    end
 
-      message = format_message(stats, violations)
-      logger.warn(message)
+    def format_finding_message(finding)
+      "#{@config.log_prefix} [#{finding.severity.upcase}] #{finding.analyzer_name}:#{finding.rule_name} - #{finding.message}"
+    end
 
-      raise QueryGuard::Error, message if @config.raise_on_violation
+    def format_legacy_message(v, stats)
+      details = case v[:type]
+                when :too_many_queries
+                  "too_many_queries: count=#{v[:count]} limit=#{v[:limit]}"
+                when :slow_query
+                  "slow_query: #{v[:duration_ms]}ms SQL=#{truncate_sql(v[:sql])}"
+                when :select_star
+                  "select_star: SQL=#{truncate_sql(v[:sql])}"
+                else
+                  v[:type].to_s
+                end
+      "#{@config.log_prefix} queries=#{stats[:count]} total_ms=#{stats[:total_duration_ms].round(2)} | #{details}"
     end
 
     def format_message(stats, violations)
@@ -65,12 +132,31 @@ module QueryGuard
           "slow_query: #{v[:duration_ms]}ms SQL=#{truncate_sql(v[:sql])}"
         when :select_star
           "select_star: SQL=#{truncate_sql(v[:sql])}"
+        when :sql_injection_suspected
+          "sql_injection_suspected: SQL=#{truncate_sql(v[:sql])}"
+        when :possible_data_exfiltration_query
+          "possible_exfiltration_query: SQL=#{truncate_sql(v[:sql])}"
+        when :data_exfiltration_large_response
+          "data_exfiltration_large_response: bytes=#{v[:bytes]} limit=#{v[:limit]} path=#{v[:path]}"
+        when :data_exfiltration_suspected_export
+          "data_exfiltration_suspected_export: bytes=#{v[:bytes]} path=#{v[:path]}"
+        when :unusual_query_rate
+          "unusual_query_rate: actor=#{v[:actor]} per_min=#{v[:per_minute]} limit=#{v[:limit]}"
+        when :unusual_query_variety
+          "unusual_query_variety: actor=#{v[:actor]} uniq_fp_per_min=#{v[:unique_fingerprints_per_minute]} limit=#{v[:limit]}"
+        when :mass_assignment_unpermitted_params
+          "mass_assignment_unpermitted: keys=#{v[:keys].join(',')} sensitive=#{v[:sensitive_keys].join(',')}"
         else
           v[:type].to_s
         end
       end.join(" | ")
 
-      "#{@config.log_prefix} queries=#{stats[:count]} total_ms=#{stats[:total_duration_ms].round(2)} | #{details}"
+      "#{@config.log_prefix} queries=#{stats[:count]} total_ms=#{stats[:total_duration_ms].round(2)} resp_bytes=#{stats[:response_bytes]} | #{details}"
+    end
+
+    def format_summary_message(findings, stats)
+      details = findings.map { |f| "#{f.analyzer_name}:#{f.rule_name}" }.join(", ")
+      "#{@config.log_prefix} violations: #{details}"
     end
 
     def truncate_sql(sql, max = 200)

data/lib/query_guard/migrations/database_adapter.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module QueryGuard
+  module Migrations
+    # Abstract interface for database metadata adapters.
+    #
+    # Adapters implement this interface to provide table metadata
+    # (row counts, lock behavior, etc.) from different database systems.
+    #
+    # Example:
+    #   adapter = PostgreSQLAdapter.new(connection)
+    #   rows = adapter.estimate_table_rows(:users)
+    #
+    # Adapters should:
+    # 1. Handle connection failures gracefully
+    # 2. Return nil or empty hash if data unavailable
+    # 3. Cache results where possible
+    # 4. Never raise exceptions during metadata queries
+    class DatabaseAdapter
+      # Get estimated row count for a table
+      #
+      # @param table_name [String, Symbol] Name of the table
+      # @return [Integer, nil] Estimated number of rows, or nil if unavailable
+      def estimate_table_rows(table_name)
+        raise NotImplementedError, "Subclasses must implement estimate_table_rows"
+      end
+
+      # Get lock impact estimate for a table
+      #
+      # Scores table's lock risk based on size and activity.
+      # Based on PostgreSQL's vacuum and maintenance overhead.
+      #
+      # @param table_name [String, Symbol] Name of the table
+      # @return [Symbol, nil] Risk level: :low, :medium, :high, :critical
+      def estimate_lock_risk(table_name)
+        raise NotImplementedError, "Subclasses must implement estimate_lock_risk"
+      end
+
+      # Check if table exists in database
+      #
+      # @param table_name [String, Symbol] Name of the table
+      # @return [Boolean] True if table exists
+      def table_exists?(table_name)
+        raise NotImplementedError, "Subclasses must implement table_exists?"
+      end
+
+      # Get all table names in current schema
+      #
+      # @return [Array<String>] List of table names
+      def list_tables
+        raise NotImplementedError, "Subclasses must implement list_tables"
+      end
+
+      # Check if connection is healthy
+      #
+      # @return [Boolean] True if adapter can query database
+      def connected?
+        raise NotImplementedError, "Subclasses must implement connected?"
+      end
+    end
+
+    # NoOp adapter that always returns unavailable
+    #
+    # Used when no database connection is configured.
+    # Gracefully disables database-aware analysis.
+    class NullDatabaseAdapter < DatabaseAdapter
+      def estimate_table_rows(table_name)
+        nil
+      end
+
+      def estimate_lock_risk(table_name)
+        nil
+      end
+
+      def table_exists?(table_name)
+        false
+      end
+
+      def list_tables
+        []
+      end
+
+      def connected?
+        false
+      end
+    end
+  end
+end

data/lib/query_guard/migrations/migration_analyzer.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+module QueryGuard
+  module Migrations
+    # Migration risk analyzer - scans Rails migration files for risky patterns.
+    # Searches for dangerous operations like:
+    # - Index additions without algorithm: :concurrently
+    # - Column removals/type changes
+    # - Non-NULL additions without defaults
+    # - Full-table updates
+    # - Unsafe raw SQL
+    #
+    # Optionally integrates with database metadata for table-size-aware risk estimation.
+    #
+    # Example:
+    #   analyzer = MigrationAnalyzer.new
+    #   findings = analyzer.analyze_migration(migration_file_path)
+    #
+    # With table size awareness:
+    #   connection = ActiveRecord::Base.connection
+    #   adapter = PostgreSQLAdapter.new(connection)
+    #   analyzer = MigrationAnalyzer.new(database_adapter: adapter)
+    #   findings = analyzer.analyze_migration(migration_file_path)
+    class MigrationAnalyzer < Analyzers::Base
+      # Initialize analyzer
+      #
+      # @param database_adapter [DatabaseAdapter] Optional adapter for table metadata
+      def initialize(database_adapter: nil)
+        super(:migration_risk)
+        @database_adapter = database_adapter
+        @table_risk_analyzer = TableRiskAnalyzer.new(database_adapter)
+      end
+
+      # Analyze a single migration file
+      #
+      # @param file_path [String] Path to migration file
+      # @return [Array<Core::Finding>] List of findings
+      def analyze_migration(file_path)
+        return [] unless File.exist?(file_path)
+
+        content = File.read(file_path)
+        migration_name = File.basename(file_path, ".rb")
+
+        risks = MigrationRiskDetectors.detect_risks(content, migration_name)
+        
+        # Enhance risks with table metadata if adapter available
+        risks = @table_risk_analyzer.enhance_risks(content, risks)
+
+        risks_to_findings(risks, file_path)
+      end
+
+      # Analyze all migrations in a directory
+      #
+      # @param migrations_dir [String] Path to db/migrate directory
+      # @return [Array<Core::Finding>] List of findings from all migrations
+      def analyze_migrations_directory(migrations_dir = "db/migrate")
+        findings = []
+        return findings unless Dir.exist?(migrations_dir)
+
+        Dir.glob(File.join(migrations_dir, "*.rb")).each do |file_path|
+          findings.concat(analyze_migration(file_path))
+        end
+
+        findings
+      end
+
+      # Analyze method for integration with QueryGuard context
+      # This is called by registry when running full analysis
+      #
+      # @param context [Core::Context] Not used for migrations,  but required by Base
+      # @param config [Config] Configuration object
+      # @return [Array<Core::Finding>] List of findings
+      def analyze(context, config)
+        migrations_dir = config&.migrations_directory || "db/migrate"
+        analyze_migrations_directory(migrations_dir)
+      end
+
+      private
+
+      def risks_to_findings(risks, file_path)
+        risks.map do |risk|
+          severity = risk[:severity] || :warn
+
+          Core::FindingBuilders.build(
+            analyzer_name: name,
+            rule_name: risk[:type],
+            severity: severity,
+            title: risk[:title],
+            description: risk[:description],
+            message: risk[:message],
+            file_path: file_path,
+            line_number: risk[:line_number],
+            recommendations: [risk[:recommendation]],
+            metadata: risk[:metadata]
+          )
+        end
+      end
+    end
+  end
+end