@malloy-publisher/server 0.0.199 → 0.0.200

package/src/service/package.ts

@@ -28,6 +28,7 @@ import {
    ServiceUnavailableError,
 } from "../errors";
 import { formatDuration, logger } from "../logger";
+import { assertSafeEnvironmentPath, safeJoinUnderRoot } from "../path_safety";
 import { BuildManifest } from "../storage/DatabaseInterface";
 import { ignoreDotfiles } from "../utils";
 import { Model } from "./model";
@@ -90,6 +91,7 @@ export class Package {
       packagePath: string,
       environmentMalloyConfig: PackageConnectionInput,
    ): Promise<Package> {
+      assertSafeEnvironmentPath(packagePath);
       const startTime = performance.now();
       await Package.validatePackageManifestExistsOrThrowError(packagePath);
       const manifestValidationTime = performance.now();
@@ -515,7 +517,10 @@ export class Package {
    private static async validatePackageManifestExistsOrThrowError(
       packagePath: string,
    ) {
-      const packageConfigPath = path.join(packagePath, PACKAGE_MANIFEST_NAME);
+      const packageConfigPath = safeJoinUnderRoot(
+         packagePath,
+         PACKAGE_MANIFEST_NAME,
+      );
       try {
          await fs.stat(packageConfigPath);
       } catch {

package/src/service/path_injection.spec.ts

@@ -0,0 +1,39 @@
+import { describe, expect, it } from "bun:test";
+import { BadRequestError } from "../errors";
+import { deleteDuckLakeConnectionFile } from "./connection";
+
+const TRAVERSAL_NAMES: ReadonlyArray<readonly [string, string]> = [
+   ["leading traversal", "../etc"],
+   ["embedded traversal", "foo/../../bar"],
+   ["slash in name", "foo/bar"],
+   ["backslash in name", "foo\\bar"],
+   ["leading dot", ".staging"],
+   ["bare dot-dot", ".."],
+   ["bare dot", "."],
+   ["empty", ""],
+   ["NUL byte", "foo\0bar"],
+   ["oversized", "a".repeat(256)],
+   ["absolute", "/etc/passwd"],
+] as const;
+
+describe("deleteDuckLakeConnectionFile path-injection guards", () => {
+   it.each(TRAVERSAL_NAMES)(
+      "rejects %s as connectionName (%p)",
+      async (_label, connectionName) => {
+         await expect(
+            deleteDuckLakeConnectionFile(connectionName, "/tmp/env"),
+         ).rejects.toBeInstanceOf(BadRequestError);
+      },
+   );
+
+   it.each([
+      ["relative", "relative/path"],
+      ["traversal", "/var/lib/../../etc"],
+      ["NUL byte", "/var/lib/env\0"],
+      ["bare dot-dot", ".."],
+   ])("rejects %s as environmentPath (%p)", async (_label, environmentPath) => {
+      await expect(
+         deleteDuckLakeConnectionFile("conn", environmentPath),
+      ).rejects.toBeInstanceOf(BadRequestError);
+   });
+});

package/src/stream_helpers.spec.ts

@@ -0,0 +1,280 @@
+import type {
+   QueryRecord,
+   RunSQLOptions,
+   StreamingConnection,
+} from "@malloydata/malloy";
+import { describe, expect, it } from "bun:test";
+
+import { PayloadTooLargeError } from "./errors";
+import { isStreamingConnection, streamSqlWithBudget } from "./stream_helpers";
+
+/**
+ * Build a fake StreamingConnection backed by a fixed row array. The
+ * fake records the abort signal so tests can confirm
+ * `streamSqlWithBudget` actually signaled the driver to stop —
+ * client-side counting alone is not enough; the whole point of the
+ * helper is to terminate fetching early.
+ */
+function fakeStreamingConnection(opts: {
+   rows: QueryRecord[];
+   /**
+    * When true (the default), the fake honors `RunSQLOptions.rowLimit`
+    * by slicing — same as real Postgres/DuckDB. Set false to drive
+    * the helper's own overflow detection (the (cap+1)-th row check).
+    */
+   honorRowLimit?: boolean;
+   /**
+    * Test hook: set to `true` when the fake observes `signal.aborted`
+    * flip via the listener it installed at the start of streaming.
+    */
+   abortObserved?: { value: boolean };
+   /**
+    * Test hook: captures the options the helper passed to
+    * `runSQLStream`, so tests can assert it preserved caller-supplied
+    * `rowLimit` (and the abortSignal it wired in).
+    */
+   capturedOptions?: { value: RunSQLOptions | undefined };
+}): StreamingConnection {
+   const { rows, honorRowLimit = true, abortObserved, capturedOptions } = opts;
+   return {
+      canStream(): true {
+         return true;
+      },
+      async *runSQLStream(
+         _sql: string,
+         options?: RunSQLOptions,
+      ): AsyncIterableIterator<QueryRecord> {
+         if (capturedOptions) capturedOptions.value = options;
+         if (abortObserved) {
+            options?.abortSignal?.addEventListener("abort", () => {
+               abortObserved.value = true;
+            });
+         }
+         const limit =
+            honorRowLimit && typeof options?.rowLimit === "number"
+               ? options.rowLimit
+               : rows.length;
+         for (let i = 0; i < Math.min(rows.length, limit); i += 1) {
+            yield rows[i];
+         }
+      },
+   } as unknown as StreamingConnection;
+}
+
+describe("isStreamingConnection", () => {
+   it("returns true for a connection whose canStream() returns true", () => {
+      const conn = fakeStreamingConnection({ rows: [] });
+      expect(isStreamingConnection(conn)).toBe(true);
+   });
+
+   it("returns false for a connection without canStream", () => {
+      expect(isStreamingConnection({} as never)).toBe(false);
+   });
+
+   it("returns false for a connection whose canStream() returns false", () => {
+      const conn = {
+         canStream() {
+            return false;
+         },
+      } as never;
+      expect(isStreamingConnection(conn)).toBe(false);
+   });
+});
+
+describe("streamSqlWithBudget", () => {
+   it("returns all rows when both budgets are comfortably above the stream", async () => {
+      const rows: QueryRecord[] = [{ a: 1 }, { a: 2 }, { a: 3 }];
+      const conn = fakeStreamingConnection({ rows });
+      const result = await streamSqlWithBudget(
+         conn,
+         "SELECT a FROM t",
+         { rowLimit: 10 },
+         { maxRows: 10, maxBytes: 1_000_000 },
+      );
+      expect(result.rows).toEqual(rows);
+      expect(result.totalRows).toBe(3);
+   });
+
+   it("forwards caller-supplied runSQLOptions (rowLimit) to the driver", async () => {
+      const captured = { value: undefined as RunSQLOptions | undefined };
+      const conn = fakeStreamingConnection({
+         rows: [{ a: 1 }, { a: 2 }],
+         capturedOptions: captured,
+      });
+      await streamSqlWithBudget(
+         conn,
+         "SELECT 1",
+         { rowLimit: 6 },
+         { maxRows: 5, maxBytes: 0 },
+      );
+      expect(captured.value?.rowLimit).toBe(6);
+      // abortSignal must be wired in so the helper can abort the
+      // iterator on overflow.
+      expect(captured.value?.abortSignal).toBeDefined();
+   });
+
+   it("composes the caller-supplied abortSignal with its internal cap-abort signal", async () => {
+      // Step 5: the caller's signal is the query timeout. Composing
+      // both sources means EITHER an external timeout OR an internal
+      // cap overflow terminates the iterator. The combined signal
+      // must be a fresh AbortSignal (not either input by reference);
+      // aborting either input must mark the composed signal aborted.
+      const captured = { value: undefined as RunSQLOptions | undefined };
+      const callerAc = new AbortController();
+      const conn = fakeStreamingConnection({
+         rows: [{ a: 1 }],
+         capturedOptions: captured,
+      });
+      await streamSqlWithBudget(
+         conn,
+         "SELECT 1",
+         { rowLimit: 10, abortSignal: callerAc.signal },
+         { maxRows: 5, maxBytes: 0 },
+      );
+      const observed = captured.value?.abortSignal;
+      expect(observed).toBeInstanceOf(AbortSignal);
+      // Composed signal is a new object (`AbortSignal.any` returns a
+      // fresh signal), not the caller's signal by reference.
+      expect(observed).not.toBe(callerAc.signal);
+      expect(observed?.aborted).toBe(false);
+   });
+
+   it("composed signal aborts when the caller's signal aborts", async () => {
+      // Drive the external (caller) signal manually and confirm the
+      // composed signal that reached the driver tracks it. This is the
+      // half of composition that runWithQueryTimeout depends on for
+      // 504 to actually cancel an in-flight query.
+      if (typeof AbortSignal.any !== "function") return;
+      const captured = { value: undefined as RunSQLOptions | undefined };
+      const callerAc = new AbortController();
+      const conn = fakeStreamingConnection({
+         rows: [{ a: 1 }],
+         capturedOptions: captured,
+      });
+      await streamSqlWithBudget(
+         conn,
+         "SELECT 1",
+         { rowLimit: 10, abortSignal: callerAc.signal },
+         { maxRows: 5, maxBytes: 0 },
+      );
+      const observed = captured.value?.abortSignal;
+      expect(observed?.aborted).toBe(false);
+      callerAc.abort();
+      expect(observed?.aborted).toBe(true);
+   });
+
+   it("throws PayloadTooLargeError and aborts the iterator on the (cap+1)-th row", async () => {
+      const rows: QueryRecord[] = [
+         { a: 1 },
+         { a: 2 },
+         { a: 3 },
+         { a: 4 },
+         { a: 5 },
+      ];
+      const abortObserved = { value: false };
+      const conn = fakeStreamingConnection({
+         rows,
+         abortObserved,
+         honorRowLimit: false,
+      });
+      await expect(
+         streamSqlWithBudget(
+            conn,
+            "SELECT a FROM t",
+            {},
+            { maxRows: 2, maxBytes: 1_000_000 },
+         ),
+      ).rejects.toBeInstanceOf(PayloadTooLargeError);
+      await expect(
+         streamSqlWithBudget(
+            conn,
+            "SELECT a FROM t",
+            {},
+            { maxRows: 2, maxBytes: 1_000_000 },
+         ),
+      ).rejects.toThrow("more than 2 rows");
+      // The helper must have fired the abort signal so a real driver
+      // (pg-query-stream / duckdb) would stop producing rows server-
+      // side, not just be discarded client-side.
+      expect(abortObserved.value).toBe(true);
+   });
+
+   it("throws PayloadTooLargeError when summed JSON byte size exceeds the cap", async () => {
+      const big = "x".repeat(40);
+      const rows: QueryRecord[] = [{ s: big }, { s: big }, { s: big }];
+      const abortObserved = { value: false };
+      const conn = fakeStreamingConnection({
+         rows,
+         abortObserved,
+         honorRowLimit: false,
+      });
+      await expect(
+         streamSqlWithBudget(
+            conn,
+            "SELECT s FROM t",
+            {},
+            { maxRows: 100, maxBytes: 60 },
+         ),
+      ).rejects.toThrow("exceeded 60 bytes");
+      expect(abortObserved.value).toBe(true);
+   });
+
+   it("returns all rows when the byte cap is disabled (maxBytes = 0)", async () => {
+      const big = "x".repeat(10_000);
+      const rows: QueryRecord[] = Array.from({ length: 3 }, () => ({ s: big }));
+      const conn = fakeStreamingConnection({ rows, honorRowLimit: false });
+      const result = await streamSqlWithBudget(
+         conn,
+         "SELECT s FROM t",
+         {},
+         { maxRows: 100, maxBytes: 0 },
+      );
+      expect(result.rows.length).toBe(3);
+   });
+
+   it("returns all rows when the row cap is disabled (maxRows = 0)", async () => {
+      const rows: QueryRecord[] = Array.from({ length: 50 }, (_, i) => ({
+         a: i,
+      }));
+      const conn = fakeStreamingConnection({ rows, honorRowLimit: false });
+      const result = await streamSqlWithBudget(
+         conn,
+         "SELECT a FROM t",
+         {},
+         { maxRows: 0, maxBytes: 1_000_000 },
+      );
+      expect(result.rows.length).toBe(50);
+   });
+
+   it("returns rows when count equals the cap exactly (not an overflow)", async () => {
+      const rows: QueryRecord[] = [{ a: 1 }, { a: 2 }, { a: 3 }];
+      const conn = fakeStreamingConnection({ rows, honorRowLimit: false });
+      const result = await streamSqlWithBudget(
+         conn,
+         "SELECT a FROM t",
+         {},
+         { maxRows: 3, maxBytes: 1_000_000 },
+      );
+      expect(result.rows.length).toBe(3);
+   });
+
+   it("re-throws non-overflow errors from the driver", async () => {
+      const conn = {
+         canStream(): true {
+            return true;
+         },
+         // eslint-disable-next-line require-yield
+         async *runSQLStream(): AsyncIterableIterator<QueryRecord> {
+            throw new Error("connection reset");
+         },
+      } as unknown as StreamingConnection;
+      await expect(
+         streamSqlWithBudget(
+            conn,
+            "SELECT 1",
+            {},
+            { maxRows: 10, maxBytes: 1_000 },
+         ),
+      ).rejects.toThrow("connection reset");
+   });
+});

package/src/stream_helpers.ts

@@ -0,0 +1,162 @@
+/**
+ * Helpers for streaming the ad-hoc connection SQL endpoints
+ * (`/environments/.../connections/.../sqlQuery`) so the publisher
+ * process never has to hold a whole result set in memory before
+ * returning it.
+ *
+ * The Step 1 row cap (`PUBLISHER_MAX_QUERY_ROWS`) is necessary but
+ * not sufficient: row count is a poor proxy for memory pressure
+ * because a single 10 MB JSON column blows past the 100k-row cap's
+ * safe envelope. The byte cap (`PUBLISHER_MAX_RESPONSE_BYTES`) is
+ * the actual memory bound, and bytes can only be enforced by
+ * iterating row-at-a-time on `runSQLStream` — `runSQL` returns a
+ * fully-buffered result, so by the time we'd count bytes the
+ * connector has already done the damage.
+ *
+ * On streaming-capable connections (Postgres, DuckDB, ...) the
+ * controller routes here. On other connections it stays on the
+ * Step 1 path; client-side byte counting after the fact would be
+ * security theatre.
+ */
+
+import type {
+   Connection,
+   MalloyQueryData,
+   QueryRecord,
+   RunSQLOptions,
+   StreamingConnection,
+} from "@malloydata/malloy";
+
+import { PayloadTooLargeError } from "./errors";
+import { recordQueryCapExceeded } from "./query_cap_metrics";
+
+/**
+ * Runtime check + type narrow for streaming-capable connections.
+ * `Connection.canStream` is declared as `this is StreamingConnection`
+ * by the Malloy SDK, so a positive result is enough to safely call
+ * `runSQLStream`.
+ */
+export function isStreamingConnection(
+   connection: Connection,
+): connection is StreamingConnection {
+   return (
+      typeof (connection as { canStream?: () => boolean }).canStream ===
+         "function" && (connection as StreamingConnection).canStream()
+   );
+}
+
+export interface StreamBudget {
+   /**
+    * Maximum number of rows to return. A value of `0` disables the
+    * row cap (the caller-supplied `rowLimit` in `runSQLOptions` may
+    * still bound the stream, but the helper will not raise on
+    * overflow).
+    */
+   maxRows: number;
+   /**
+    * Maximum aggregate JSON-serialized byte size of returned rows.
+    * `0` disables the byte cap. Measured as the sum of
+    * `Buffer.byteLength(JSON.stringify(row))` for each yielded row
+    * — the same bytes the eventual response will contain inside
+    * `result.rows`.
+    */
+   maxBytes: number;
+}
+
+/**
+ * Drain `runSQLStream` into a `MalloyQueryData`-shaped buffer,
+ * enforcing both a row cap and a byte cap. Aborts the underlying
+ * iterator via an internal `AbortController` the moment either cap
+ * is breached so the driver stops producing rows immediately
+ * (Postgres' `pg-query-stream` and DuckDB's streaming iterator both
+ * honor `abortSignal`).
+ *
+ * The row cap is detected by the `cap + 1` sentinel pattern: the
+ * controller has already clamped `runSQLOptions.rowLimit` to
+ * `min(callerLimit, cap + 1)`, so receiving `cap + 1` rows
+ * unambiguously means the request would have overflowed. This
+ * matches the non-streaming path's overflow detection so behavior
+ * is identical regardless of which connector served the request.
+ *
+ * On overflow the helper throws `PayloadTooLargeError` directly —
+ * the message includes the relevant env-var name so the operator
+ * sees a self-contained tuning hint without having to cross-
+ * reference the controller.
+ */
+export async function streamSqlWithBudget(
+   connection: StreamingConnection,
+   sql: string,
+   runSQLOptions: RunSQLOptions,
+   budget: StreamBudget,
+): Promise<MalloyQueryData> {
+   const { maxRows, maxBytes } = budget;
+   const capAc = new AbortController();
+   const rows: QueryRecord[] = [];
+   let byteTotal = 0;
+   let overflowMessage: string | undefined;
+
+   // Compose two abort sources so a caller-supplied signal (the
+   // publisher's query timeout) and the internal cap-abort signal
+   // *both* cancel the underlying iterator:
+   //
+   //   - If the caller's signal fires first, the controller's
+   //     `runWithQueryTimeout` will throw `QueryTimeoutError` → 504.
+   //   - If the cap-abort fires first, we throw
+   //     `PayloadTooLargeError` → 413.
+   //
+   // Without composition the streaming branch would silently drop
+   // the caller's signal — historically the only way to abort here
+   // was the cap, so the legacy controller cleared
+   // `runSQLOptions.abortSignal`. Step 5 reverses that: the caller's
+   // signal is now authoritative.
+   //
+   // `AbortSignal.any` is widely available (Node 20+); guard with a
+   // typeof check so a stale runtime falls back to the legacy
+   // cap-only behavior instead of crashing at module load.
+   const externalSignal = runSQLOptions.abortSignal;
+   const composedSignal: AbortSignal =
+      externalSignal && typeof AbortSignal.any === "function"
+         ? AbortSignal.any([externalSignal, capAc.signal])
+         : capAc.signal;
+
+   try {
+      for await (const row of connection.runSQLStream(sql, {
+         ...runSQLOptions,
+         abortSignal: composedSignal,
+      })) {
+         rows.push(row);
+         if (maxBytes > 0) {
+            // Measure exactly what the eventual response body will
+            // contain for this row. O(rowSize) per row, duplicated
+            // against the final `JSON.stringify(result)` — the
+            // early-abort win on overflow dwarfs the bookkeeping
+            // cost in the bounded-success case.
+            byteTotal += Buffer.byteLength(JSON.stringify(row), "utf8");
+            if (byteTotal > maxBytes) {
+               recordQueryCapExceeded("bytes", "connection_sql");
+               overflowMessage = `Query response exceeded ${maxBytes} bytes (had at least ${byteTotal}). Refine the query (project fewer columns, add a LIMIT, or filter wide values) or raise PUBLISHER_MAX_RESPONSE_BYTES.`;
+               capAc.abort();
+               break;
+            }
+         }
+         if (maxRows > 0 && rows.length > maxRows) {
+            recordQueryCapExceeded("rows", "connection_sql");
+            overflowMessage = `Query returned more than ${maxRows} rows. Refine the query (add a LIMIT or more selective WHERE) or raise PUBLISHER_MAX_QUERY_ROWS.`;
+            capAc.abort();
+            break;
+         }
+      }
+   } catch (err) {
+      // `pg-query-stream` surfaces `query.destroy()` (which our
+      // abort handler triggers) as a synthetic error in some
+      // versions. Swallow it iff we triggered the abort ourselves —
+      // otherwise it's a real connection error (or the caller's
+      // timeout, which the controller's runWithQueryTimeout will
+      // surface as a 504) that the controller must see.
+      if (!overflowMessage) throw err;
+   }
+
+   if (overflowMessage) throw new PayloadTooLargeError(overflowMessage);
+
+   return { rows, totalRows: rows.length };
+}

package/src/test_helpers/metrics_harness.ts

@@ -0,0 +1,126 @@
+/**
+ * Test helper: spin up an in-memory OpenTelemetry MeterProvider so
+ * unit tests can assert that the new guardrails (admission gate,
+ * query timeout, query concurrency, heap check) emit the expected
+ * counters and gauges.
+ *
+ * Usage:
+ *
+ *   const harness = await startMetricsHarness();
+ *   // ... exercise production code ...
+ *   const sums = await harness.collectCounter("publisher_query_timeout_total");
+ *   expect(sums).toBe(1);
+ *   await harness.shutdown();
+ *
+ * The OTel JS API resolves `metrics.getMeter(name)` lazily through a
+ * `ProxyMeter`, so registering the MeterProvider here AFTER the
+ * production modules have already cached their meter handles works
+ * — subsequent `.add()` / observable callbacks route to this
+ * harness's provider.
+ *
+ * The harness drains all of the provider's metrics via
+ * `MetricReader.collect()` and reads the cumulative data points
+ * directly, bypassing the exporter pipeline so test code doesn't
+ * have to thread async callbacks.
+ */
+
+import { metrics } from "@opentelemetry/api";
+import { MeterProvider, MetricReader } from "@opentelemetry/sdk-metrics";
+
+/**
+ * The simplest possible MetricReader implementation: a no-op that
+ * exists only so the `MeterProvider` has a reader to satisfy its
+ * collection invariants. Tests call `collect()` directly via the
+ * harness; the reader never pushes anywhere.
+ */
+class CollectingMetricReader extends MetricReader {
+   protected override async onForceFlush(): Promise<void> {
+      // no-op; tests pull via `collect()` on demand
+   }
+   protected override async onShutdown(): Promise<void> {
+      // no-op
+   }
+}
+
+export interface MetricsHarness {
+   readonly provider: MeterProvider;
+   /**
+    * Force a collection cycle and return the cumulative sum of all
+    * data points for the named counter. Returns 0 when the counter
+    * has not been emitted yet.
+    *
+    * `attributeFilter` lets a test scope the sum to a single label
+    * set (e.g. only the `environment: "test-env"` data point).
+    */
+   collectCounter(
+      name: string,
+      attributeFilter?: Record<string, string | number | boolean>,
+   ): Promise<number>;
+   /**
+    * Force a collection cycle and return the most-recently observed
+    * value of the named gauge, or `undefined` if no callback has
+    * fired for this gauge yet.
+    */
+   collectGauge(name: string): Promise<number | undefined>;
+   shutdown(): Promise<void>;
+}
+
+export async function startMetricsHarness(): Promise<MetricsHarness> {
+   const reader = new CollectingMetricReader();
+   const provider = new MeterProvider({ readers: [reader] });
+   // OTel JS's `setGlobalMeterProvider` silently refuses to
+   // overwrite an existing global (`registerGlobal` returns false).
+   // Tests that run back-to-back would otherwise route their
+   // metrics into a dead provider from the previous test. Disable
+   // first to clear the slot.
+   metrics.disable();
+   metrics.setGlobalMeterProvider(provider);
+
+   return {
+      provider,
+      async collectCounter(
+         name: string,
+         attributeFilter?: Record<string, string | number | boolean>,
+      ): Promise<number> {
+         const result = await reader.collect();
+         let total = 0;
+         for (const rm of result.resourceMetrics.scopeMetrics) {
+            for (const metric of rm.metrics) {
+               if (metric.descriptor.name !== name) continue;
+               for (const dp of metric.dataPoints) {
+                  if (attributeFilter) {
+                     const allMatch = Object.entries(attributeFilter).every(
+                        ([k, v]) => dp.attributes?.[k] === v,
+                     );
+                     if (!allMatch) continue;
+                  }
+                  total += dp.value as number;
+               }
+            }
+         }
+         return total;
+      },
+      async collectGauge(name: string): Promise<number | undefined> {
+         const result = await reader.collect();
+         for (const rm of result.resourceMetrics.scopeMetrics) {
+            for (const metric of rm.metrics) {
+               if (metric.descriptor.name !== name) continue;
+               // Observable gauges yield one data point per
+               // attribute set per collection. Return the last
+               // observed value across all data points so unlabeled
+               // gauges (the common case in this code base) just
+               // work without attribute plumbing.
+               const last = metric.dataPoints[metric.dataPoints.length - 1];
+               return last?.value as number | undefined;
+            }
+         }
+         return undefined;
+      },
+      async shutdown(): Promise<void> {
+         await reader.shutdown();
+         // Clear the global so the next harness's
+         // `setGlobalMeterProvider` is accepted.
+         metrics.disable();
+      },
+   };
+}

package/dist/app/assets/HomePage-DLRWTNoL.js

@@ -1 +0,0 @@
-import{S as t,j as o,L as a}from"./index-Dv5bF4Ii.js";function s(){const n=t();return o.jsx(a,{onClickEnvironment:n})}export{s as default};