sql_safety_net 1.1.11 → 2.0.0

data/spec/connection_adapter_spec.rb

@@ -2,142 +2,137 @@ require 'spec_helper'
 
 describe SqlSafetyNet::ConnectionAdapter do
   
-  class SqlSafetyNet::TestConnectionAdapter < ActiveRecord::ConnectionAdapters::AbstractAdapter
-    class Model
-      attr_accessor :id, :name
-      def initialize (attrs)
-        @id = attrs["id"]
-        @name = attrs["name"]
-      end
-    end
-    
-    def columns (table_name, name = nil)
-      select_rows("GET columns")
-      ["id", "name"]
-    end
-    
-    def select_rows (sql, name = nil, binds = [])
-      return [{"id" => 1, "name" => "foo"}, {"id" => 2, "name" => "bar"}]
-    end
-    
-    protected
-    
-    def analyze_query (sql, name, *args)
-      if sql.match(/table scan/i)
-        {:flags => ["table scan"]}
-      end
-    end
-    
-    def select (sql, name = nil, binds = [])
-      select_rows(sql, name).collect do |row|
-        Model.new(row)
-      end
-    end
-    
-    SqlSafetyNet.config.enable_on(self)
-  end
-  
-  before(:each) do
-    SqlSafetyNet.config.debug = true
-    SqlSafetyNet::QueryAnalysis.clear
-  end
+  let(:connection){ SqlSafetyNet::TestModel.connection }
   
-  after(:each) do
-    SqlSafetyNet::QueryAnalysis.clear
+  before :each do
+    SqlSafetyNet::TestModel.delete_all
+    SqlSafetyNet::TestModel.create!(:name => "test", :value => 10)
   end
   
-  let(:connection){ SqlSafetyNet::TestConnectionAdapter.new(:connection) }
-
-  it "should not analyze the SQL select in the columns method" do
-    connection.should_receive(:columns_without_sql_safety_net).with("table", "columns").and_return(["col1", "col2"])
-    analysis = SqlSafetyNet::QueryAnalysis.analyze do
-      connection.columns("table", "columns").should == ["col1", "col2"]
+  describe "injection" do
+    it "should analyze queries in the select_rows method" do
+      connection.should_receive(:analyze_query).with("select name, value from test_models", "SQL", []).and_yield
+      connection.select_rows("select name, value from test_models", "SQL").should == [["test", 10]]
     end
-    analysis.selects.should == 0
-  end
-
-  it "should not analyze the SQL select in the active? method" do
-    connection.should_receive(:active_without_sql_safety_net?).and_return(true)
-    analysis = SqlSafetyNet::QueryAnalysis.analyze do
-      connection.active?.should == true
+    
+    it "should analyze queries in the select method" do
+      connection.should_receive(:analyze_query).with("select name, value from test_models", "SQL", []).and_yield
+      connection.send(:select, "select name, value from test_models", "SQL").should == [{"name"=>"test", "value"=>10}]
     end
-    analysis.selects.should == 0
-  end
-  
-  it "should determine if a SQL statement is a select statement" do
-    connection.select_statement?("SELECT * FROM TABLE").should == true
-    connection.select_statement?(" \n SELECT * FROM TABLE").should == true
-    connection.select_statement?("Select * From Table").should == true
-    connection.select_statement?("select * from table").should == true
-    connection.select_statement?("EXECUTE SELECT * FROM TABLE").should == false
   end
   
-  [:select, :select_rows].each do |select_method|
-    context select_method do
-      it "should proxy the select method to the underlying adapter" do
-        connection.should_receive("#{select_method}_without_sql_safety_net").with('Select sql', 'name').and_return([:row1, :row2])
-        connection.send(select_method, 'Select sql', 'name').should == [:row1, :row2]
-      end
+  describe "analysis" do
+    it "should not blow up if there is no current QueryAnalysis" do
+      connection.select_rows("select name, value from test_models", "SQL").should == [["test", 10]]
+    end
     
-      it "should count selects" do
-        analysis = SqlSafetyNet::QueryAnalysis.analyze do
-          connection.send(select_method, 'Select * from table')
-          connection.send(select_method, 'Select * from table where whatever')
+    context "select statements" do
+      before :each do
+        SqlSafetyNet::TestModel.create!(:name => "foo", :value => 100)
+      end
+      
+      it "should analyze select statements" do
+        SqlSafetyNet::QueryAnalysis.capture do |analysis|
+          results = connection.send(:select, "select name, value from test_models order by name")
+          results.should == [{"name" => "foo", "value" => 100}, {"name" => "test", "value" => 10}]
+          analysis.queries.size.should == 1
+          query_info = analysis.queries.first
+          query_info.sql.should == "select name, value from test_models order by name"
+          query_info.rows.should == 2
+          query_info.result_size.should == 12
+          query_info.elapsed_time.should > 0
+        end
+      end
+      
+      # ActiveRecord < 3.1 doesn't have the binds parameter
+      if ActiveRecord::VERSION::MAJOR > 3 || (ActiveRecord::VERSION::MAJOR == 3 && ActiveRecord::VERSION::MINOR >= 1)
+        it "should analyze select statements using bind variables" do
+          SqlSafetyNet::QueryAnalysis.capture do |analysis|
+            name_column = SqlSafetyNet::TestModel.columns_hash["name"]
+            results = connection.send(:select, "select name, value from test_models where name = ? order by name", "SQL", [[name_column, "foo"]])
+            results.should == [{"name" => "foo", "value" => 100}]
+            analysis.queries.size.should == 1
+            query_info = analysis.queries.first
+            query_info.sql.should == 'select name, value from test_models where name = ? order by name [["name", "foo"]]'
+            query_info.rows.should == 1
+            query_info.result_size.should == 6
+            query_info.elapsed_time.should > 0
+          end
+        end
+      end
+      
+      it "should analyze select_rows statements" do
+        SqlSafetyNet::QueryAnalysis.capture do |analysis|
+          results = connection.select_rows("select name, value from test_models order by name")
+          results.should == [["foo", 100], ["test", 10]]
+          analysis.queries.size.should == 1
+          query_info = analysis.queries.first
+          query_info.sql.should == "select name, value from test_models order by name"
+          query_info.rows.should == 2
+          query_info.result_size.should == 12
+          query_info.elapsed_time.should > 0
         end
-        analysis.selects.should == 2
       end
+    end
     
-      it "should count rows returned" do
-        analysis = SqlSafetyNet::QueryAnalysis.analyze do
-          connection.send(select_method, 'Select * from table')
-          connection.send(select_method, 'Select * from table where whatever')
+    context "non-select statements" do
+      it "should not analyze schema statements" do
+        SqlSafetyNet::QueryAnalysis.capture do |analysis|
+          results = connection.select_rows("INSERT INTO test_models (name, value) VALUES ('moo', 1)")
+          analysis.queries.should be_empty
         end
-        analysis.rows.should == 4
       end
-  
-      it "should analyze select statements and keep track of bad queries" do
-        analysis = SqlSafetyNet::QueryAnalysis.analyze do
-          connection.send(select_method, 'Select * from table doing table scan')
+      
+      it "should not analyze explain statements" do
+        SqlSafetyNet::QueryAnalysis.capture do |analysis|
+          results = connection.select_rows("EXPLAIN select * from test_models")
+          analysis.queries.should be_empty
         end
-        analysis.non_flagged_queries.size.should == 0
-        analysis.flagged_queries.size.should == 1
-        analysis.flagged_queries.first[:sql].should == 'Select * from table doing table scan'
-        analysis.flagged_queries.first[:rows].should == 2
-        analysis.flagged_queries.first[:flags].should == ['table scan']
       end
-
-      it "should analyze select statements and keep track of good queries" do
-        analysis = SqlSafetyNet::QueryAnalysis.analyze do
-          connection.send(select_method, 'Select * from table')
+      
+      it "should not analyze insert statements" do
+        SqlSafetyNet::QueryAnalysis.capture do |analysis|
+          results = connection.select_rows("INSERT INTO test_models (name, value) VALUES ('moo', 1)")
+          analysis.queries.should be_empty
         end
-        analysis.flagged_queries.size.should == 0
-        analysis.non_flagged_queries.size.should == 1
-        analysis.non_flagged_queries.first[:sql].should == 'Select * from table'
-        analysis.non_flagged_queries.first[:rows].should == 2
       end
       
-      it "should flag queries that exceed the configured time limit" do
-        now = Time.now
-        analysis = SqlSafetyNet::QueryAnalysis.analyze do
-          Time.stub(:now).and_return(now, now + 100)
-          connection.send(select_method, 'Select * from table')
+      it "should not analyze update statements" do
+        SqlSafetyNet::QueryAnalysis.capture do |analysis|
+          results = connection.select_rows("UPDATE test_models SET value = 1 WHERE value = 10")
+          analysis.queries.should be_empty
         end
-        analysis.flagged_queries.size.should == 1
-        analysis.non_flagged_queries.size.should == 0
-        analysis.flagged_queries.first[:flags].should == ["query time exceeded #{SqlSafetyNet.config.time_limit} ms"]
       end
-
-      it "should not analyze queries if debug mode disabled" do
-        SqlSafetyNet.config.debug = false
-        analysis = SqlSafetyNet::QueryAnalysis.analyze do
-          connection.send(select_method, 'SELECT * from table with table scan')
+      
+      it "should not analyze delete statements" do
+        SqlSafetyNet::QueryAnalysis.capture do |analysis|
+          results = connection.select_rows("DELETE FROM test_models WHERE id = 1")
+          analysis.queries.should be_empty
         end
-        analysis.selects.should == 1
-        analysis.rows.should == 2
-        analysis.flagged_queries.size.should == 0
-        analysis.non_flagged_queries.size.should == 0
       end
     end
   end
-
+  
+  describe "ActiveRecord finders" do
+    it "should analyze the queries" do
+      SqlSafetyNet::QueryAnalysis.capture do |analysis|
+        model = SqlSafetyNet::TestModel.all.first
+        SqlSafetyNet::TestModel.find(model.id)
+        analysis.total_queries.should == 2
+      end
+    end
+  end
+  
+  describe "explain plan analysis" do
+    it "should do further analysis on queries when the adapter support query plan analysis" do
+      connection.should_receive(:respond_to?).with(:sql_safety_net_analyze_query_plan).and_return(true)
+      connection.should_receive(:sql_safety_net_analyze_query_plan).with("SELECT * from test_models", []).and_return(["table scan"])
+      
+      SqlSafetyNet::QueryAnalysis.capture do |analysis|
+        model = connection.select_all("SELECT * from test_models")
+        analysis.queries.first.alerts.should == ["table scan"]
+      end
+    end
+  end
+  
 end

data/spec/explain_plan/mysql_spec.rb

@@ -0,0 +1,113 @@
+require 'spec_helper'
+
+describe SqlSafetyNet::ExplainPlan::Mysql do
+
+  class MockMysqlConnection; end
+  SqlSafetyNet::ExplainPlan.enable_on_connection_adapter!(MockMysqlConnection, :mysql)
+  
+  let(:connection){ MockMysqlConnection.new }
+  let(:sql){ "SELECT * FROM *" }
+  
+  it "should detect table scans" do
+    connection.should_receive(:select).twice.with("EXPLAIN #{sql}", "EXPLAIN", []).and_return([{"type" => "ALL", "rows" => 100}])
+    
+    SqlSafetyNet.override_config do |config|
+      config.table_scan_limit = 99
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should include("table scan on 100 rows")
+      
+      config.table_scan_limit = 100
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should be_empty
+    end
+  end
+  
+  it "should detect no indexes being used" do
+    connection.should_receive(:select).twice.with("EXPLAIN #{sql}", "EXPLAIN", []).and_return([{"key" => nil, "rows" => 100}])
+    
+    SqlSafetyNet.override_config do |config|
+      config.table_scan_limit = 99
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should include("no index used")
+      
+      config.table_scan_limit = 100
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should_not include("no index used")
+    end
+  end
+  
+  it "should detect no indexes possible" do
+    connection.should_receive(:select).twice.with("EXPLAIN #{sql}", "EXPLAIN", []).and_return([{"possible_keys" => nil, "rows" => 100}])
+    
+    SqlSafetyNet.override_config do |config|
+      config.table_scan_limit = 99
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should include("no index possible")
+      
+      config.table_scan_limit = 100
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should_not include("no index possible")
+    end
+  end
+  
+  it "should detect dependent subqueries" do
+    connection.should_receive(:select).with("EXPLAIN #{sql}", "EXPLAIN", []).and_return([{"select_type" => "dependent", "rows" => 100}])
+    alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+    alerts.should include("dependent subquery")
+  end
+  
+  it "should detect uncacheable subqueries" do
+    connection.should_receive(:select).with("EXPLAIN #{sql}", "EXPLAIN", []).and_return([{"select_type" => "uncacheable", "rows" => 100}])
+    alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+    alerts.should include("uncacheable subquery")
+  end
+  
+  it "should detect full scan on null key" do
+    connection.should_receive(:select).with("EXPLAIN #{sql}", "EXPLAIN", []).and_return([{"Extra" => "full scan on null key", "rows" => 100}])
+    alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+    alerts.should include("full scan on null key")
+  end
+  
+  it "should detect excess temporary table usage" do
+    connection.should_receive(:select).twice.with("EXPLAIN #{sql}", "EXPLAIN", []).and_return([{"Extra" => "using temporary", "rows" => 100}])
+    
+    SqlSafetyNet.override_config do |config|
+      config.temporary_table_limit = 99
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should include("uses temporary table for 100 rows")
+      
+      config.temporary_table_limit = 100
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should_not include("uses temporary table for 100 rows")
+    end
+  end
+  
+  it "should detect excess filesort usage" do
+    connection.should_receive(:select).twice.with("EXPLAIN #{sql}", "EXPLAIN", []).and_return([{"Extra" => "filesort", "rows" => 100}])
+    
+    SqlSafetyNet.override_config do |config|
+      config.filesort_limit = 99
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should include("uses filesort for 100 rows")
+      
+      config.filesort_limit = 100
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should_not include("uses filesort for 100 rows")
+    end
+  end
+  
+  it "should detect examining too many rows" do
+    connection.should_receive(:select).twice.with("EXPLAIN #{sql}", "EXPLAIN", []).and_return([{"rows" => 100}])
+    
+    SqlSafetyNet.override_config do |config|
+      config.examined_rows_limit = 99
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should include("examined 100 rows")
+      
+      config.examined_rows_limit = 100
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should be_empty
+    end
+  end
+
+end

data/spec/explain_plan/postgresql_spec.rb

@@ -0,0 +1,44 @@
+require 'spec_helper'
+
+describe SqlSafetyNet::ExplainPlan::Postgresql do
+  class PostgresqlConnection; end
+  SqlSafetyNet::ExplainPlan.enable_on_connection_adapter!(PostgresqlConnection, :postgresql)
+  
+  let(:connection){ PostgresqlConnection.new }
+  let(:sql){ "SELECT * FROM *" }
+  
+  it "should flag excessive table scans" do
+    query_plan = [{"QUERY PLAN"=>"Seq Scan on records  (cost=0.00..12.20 rows=100 width=335)"}]
+    connection.should_receive(:select).twice.with("EXPLAIN #{sql}", 'EXPLAIN', []).and_return(query_plan)
+    SqlSafetyNet.override_config do |config|
+      config.table_scan_limit = 99
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should include("table scan on ~100 rows")
+      
+      config.table_scan_limit = 100
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should be_empty
+    end
+  end
+  
+  it "should flag too many rows examined" do
+    query_plan = [{"QUERY PLAN"=>"Index Scan using records_pkey on records  (cost=0.00..8.27 rows=100 width=336)"}]
+    connection.should_receive(:select).twice.with("EXPLAIN #{sql}", 'EXPLAIN', []).and_return(query_plan)
+    SqlSafetyNet.override_config do |config|
+      config.examined_rows_limit = 99
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should include("examined ~100 rows")
+      
+      config.examined_rows_limit = 100
+      alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+      alerts.should be_empty
+    end
+  end
+    
+  it "should apply a limit to the rows returned" do
+    query_plan = [{"QUERY PLAN"=>"Limit  (cost=0.00..0.06 rows=1 width=335)"}, {"QUERY PLAN"=>"  ->  Seq Scan on records  (cost=0.00..12.20 rows=1000000 width=335)"}]
+    connection.should_receive(:select).with("EXPLAIN #{sql}", 'EXPLAIN', []).and_return(query_plan)
+    alerts = connection.sql_safety_net_analyze_query_plan(sql, [])
+    alerts.should be_empty
+  end
+end

data/spec/formatter_spec.rb

@@ -0,0 +1,46 @@
+require 'spec_helper'
+
+describe SqlSafetyNet::Formatter do
+  
+  let(:query_info){ SqlSafetyNet::QueryInfo.new("SELECT * FROM *", :elapsed_time => 0.1, :rows => 1, :result_size => 500) }
+  let(:analysis){ SqlSafetyNet::QueryAnalysis.new }
+  
+  it "should convert an analysis to valid XHTML" do
+    analysis << query_info
+    formatter = SqlSafetyNet::Formatter.new(analysis)
+    html = formatter.to_html
+    html.should match(/<div [^>]*id="_sql_safety_net_"/)
+    parsed = ActiveSupport::XmlMini.parse(html)
+    parsed["div"]["id"].should == "_sql_safety_net_"
+  end
+  
+  it "should convert an analysis to a string" do
+    analysis << query_info
+    formatter = SqlSafetyNet::Formatter.new(analysis)
+    text = formatter.to_s
+    text.should include("1 query, 1 row")
+  end
+  
+  it "should give a summary of an analysis" do
+    analysis << query_info
+    formatter = SqlSafetyNet::Formatter.new(analysis)
+    formatter.summary.should == "1 query, 1 row, 0.5K, 100ms"
+  end
+  
+  it "should pluralize words in the summary" do
+    analysis << query_info
+    analysis << query_info
+    formatter = SqlSafetyNet::Formatter.new(analysis)
+    formatter.summary.should == "2 queries, 2 rows, 1.0K, 200ms"
+  end
+  
+  it "should creat a CSS style for the HTML div" do
+    formatter = SqlSafetyNet::Formatter.new(analysis)
+    style = formatter.div_style("width" => "200px", "left" => "10px", "text-decoration" => "underline", "font-weight" => nil)
+    style.should include("left:10px;")
+    style.should include("top:5px;")
+    style.should include("width:200px")
+    style.should include("text-decoration:underline")
+    style.should_not include("font-weight")
+  end
+end

data/spec/middleware_spec.rb

@@ -0,0 +1,90 @@
+require 'spec_helper'
+
+describe SqlSafetyNet::Middleware do
+  
+  before :all do
+    SqlSafetyNet::TestModel.delete_all
+    SqlSafetyNet::TestModel.create(:name => "test")
+  end
+  
+  let(:app){ lambda{|env| [env[:status] || 200, {"Content-Type" => env[:type] || "text/plain"}, ["<body>Hello</body>"]]} }
+  let(:app_with_query){ lambda{|env| SqlSafetyNet::TestModel.first; [env[:status] || 200, {"Content-Type" => env[:type] || "text/plain"}, ["<body>Hello</body>"]]} }
+  
+  it "should return the original response code" do
+    middleware = SqlSafetyNet::Middleware.new(app)
+    response = middleware.call(:status => 301)
+    response = Rack::Response.new(response[2], response[0], response[1])
+    response.status.should == 301
+  end
+  
+  it "should not return the X-SqlSafetyNet header if not queries occurred" do
+    middleware = SqlSafetyNet::Middleware.new(app)
+    response = middleware.call(:status => 200)
+    response = Rack::Response.new(response[2], response[0], response[1])
+    response["X-SqlSafetyNet"].should == nil
+  end
+  
+  it "should return the original response headers plus X-SqlSafetyNet" do
+    middleware = SqlSafetyNet::Middleware.new(app_with_query)
+    response = middleware.call(:status => 200)
+    response = Rack::Response.new(response[2], response[0], response[1])
+    response["X-SqlSafetyNet"].should include("1 query, 1 row")
+  end
+  
+  it "should return the original body if no queries performed" do
+    middleware = SqlSafetyNet::Middleware.new(app)
+    response = middleware.call(:type => "text/html")
+    response = Rack::Response.new(response[2], response[0], response[1])
+    body = response.body.join("")
+    body.should == "<body>Hello</body>"
+  end
+  
+  it "should return the original body plus the sql analysis if HTML and not Ajax and always show is on" do
+    SqlSafetyNet.override_config do |config|
+      config.always_show = true
+      middleware = SqlSafetyNet::Middleware.new(app_with_query)
+      response = middleware.call(:type => "text/html; charset=UTF-8")
+      response = Rack::Response.new(response[2], response[0], response[1])
+      body = response.body.join("")
+      body.should include("<body>Hello</body>")
+      body.should include("_sql_safety_net_")
+    end
+  end
+  
+  it "should return the original body plus the sql analysis if XHTML and not Ajax and the queries are flagged" do
+    SqlSafetyNet.override_config do |config|
+      config.query_limit = 0
+      middleware = SqlSafetyNet::Middleware.new(app_with_query)
+      response = middleware.call(:type => "text/xhtml; charset=UTF-8")
+      response = Rack::Response.new(response[2], response[0], response[1])
+      body = response.body.join("")
+      body.should include("<body>Hello</body>")
+      body.should include("_sql_safety_net_")
+    end
+  end
+  
+  it "should return the original body only if always_on is false and no flagged query" do
+    middleware = SqlSafetyNet::Middleware.new(app_with_query)
+    response = middleware.call(:type => "text/html; charset=UTF-8")
+    response = Rack::Response.new(response[2], response[0], response[1])
+    body = response.body.join("")
+    body.should == "<body>Hello</body>"
+  end
+  
+  it "should return the original body only if Ajax" do
+    middleware = SqlSafetyNet::Middleware.new(app)
+    response = middleware.call(:type => "text/html", "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest")
+    response = Rack::Response.new(response[2], response[0], response[1])
+    body = response.body.join("")
+    body.should == "<body>Hello</body>"
+  end
+  
+  it "should return the original body only if not HTML" do
+    middleware = SqlSafetyNet::Middleware.new(app)
+    response = middleware.call(:type => "text/plain")
+    response = Rack::Response.new(response[2], response[0], response[1])
+    body = response.body.join("")
+    body.should == "<body>Hello</body>"
+  end
+  
+end