@stonyx/orm 0.2.1-alpha.37 → 0.2.1-alpha.38

package/dist/mysql/migration-runner.js

@@ -1,6 +1,8 @@
 import { fileExists } from '@stonyx/utils/file';
 import fs from 'fs/promises';
+import { validateIdentifier } from './query-builder.js';
 export async function ensureMigrationsTable(pool, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     await pool.execute(`
     CREATE TABLE IF NOT EXISTS \`${tableName}\` (
       id INT AUTO_INCREMENT PRIMARY KEY,
@@ -10,6 +12,7 @@ export async function ensureMigrationsTable(pool, tableName = '__migrations') {
   `);
 }
 export async function getAppliedMigrations(pool, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     const [rows] = await pool.execute(`SELECT filename FROM \`${tableName}\` ORDER BY id ASC`);
     return rows.map(row => row.filename);
 }
@@ -37,6 +40,7 @@ export function parseMigrationFile(content) {
     return { up, down };
 }
 export async function applyMigration(pool, filename, upSql, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     const connection = await pool.getConnection();
     try {
         await connection.beginTransaction();
@@ -57,6 +61,7 @@ export async function applyMigration(pool, filename, upSql, tableName = '__migra
     }
 }
 export async function rollbackMigration(pool, filename, downSql, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     const connection = await pool.getConnection();
     try {
         await connection.beginTransaction();

package/dist/postgres/connection.js

@@ -1,3 +1,4 @@
+import { validateIdentifier } from './query-builder.js';
 let pool = null;
 /**
  * Create or return the singleton pg Pool.
@@ -18,7 +19,8 @@ export async function getPool(pgConfig, extensions = ['vector']) {
     });
     // Enable requested PostgreSQL extensions
     for (const ext of extensions) {
-        await pool.query(`CREATE EXTENSION IF NOT EXISTS ${ext}`);
+        validateIdentifier(ext, 'extension name');
+        await pool.query(`CREATE EXTENSION IF NOT EXISTS "${ext}"`);
     }
     return pool;
 }

package/dist/postgres/migration-runner.js

@@ -1,6 +1,8 @@
 import { fileExists } from '@stonyx/utils/file';
 import fs from 'fs/promises';
+import { validateIdentifier } from './query-builder.js';
 export async function ensureMigrationsTable(pool, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     await pool.query(`
     CREATE TABLE IF NOT EXISTS "${tableName}" (
       id INTEGER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
@@ -10,6 +12,7 @@ export async function ensureMigrationsTable(pool, tableName = '__migrations') {
   `);
 }
 export async function getAppliedMigrations(pool, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     const result = await pool.query(`SELECT filename FROM "${tableName}" ORDER BY id ASC`);
     return result.rows.map(row => row.filename);
 }
@@ -37,6 +40,7 @@ export function parseMigrationFile(content) {
     return { up, down };
 }
 export async function applyMigration(pool, filename, upSql, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     const client = await pool.connect();
     try {
         await client.query('BEGIN');
@@ -56,6 +60,7 @@ export async function applyMigration(pool, filename, upSql, tableName = '__migra
     }
 }
 export async function rollbackMigration(pool, filename, downSql, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     const client = await pool.connect();
     try {
         await client.query('BEGIN');

package/dist/postgres/type-map.js

@@ -36,6 +36,9 @@ export function getPgType(attrType, transformFn) {
  * Returns a vector column type for the given dimensions.
  */
 export function getVectorType(dimensions) {
+    if (!Number.isInteger(dimensions) || dimensions < 1 || dimensions > 16000) {
+        throw new Error(`Invalid vector dimensions: ${dimensions}. Must be an integer between 1 and 16000.`);
+    }
     return `vector(${dimensions})`;
 }
 function mysqlTypeToPg(mysqlType) {

package/dist/timescale/query-builder.d.ts

@@ -1,4 +1,6 @@
 export { validateIdentifier, buildInsert, buildUpdate, buildDelete, buildSelect } from '../postgres/query-builder.js';
+export declare function validateInterval(interval: string, context?: string): string;
+export declare function validateAggregate(expr: string, context?: string): string;
 interface QueryResult {
     sql: string;
     values: unknown[];

package/dist/timescale/query-builder.js

@@ -1,6 +1,20 @@
 // Re-export all base PostgreSQL query builders
 export { validateIdentifier, buildInsert, buildUpdate, buildDelete, buildSelect } from '../postgres/query-builder.js';
 import { validateIdentifier } from '../postgres/query-builder.js';
+const SAFE_INTERVAL = /^\d+\s+(microsecond|millisecond|second|minute|hour|day|week|month|year)s?$/i;
+export function validateInterval(interval, context = 'interval') {
+    if (!interval || typeof interval !== 'string' || !SAFE_INTERVAL.test(interval.trim())) {
+        throw new Error(`Invalid SQL ${context}: "${interval}". Intervals must match pattern like "7 days", "1 hour", "30 minutes".`);
+    }
+    return interval.trim();
+}
+const SAFE_AGGREGATE = /^(COUNT|SUM|AVG|MIN|MAX|FIRST|LAST)\s*\(\s*"?[a-zA-Z_][a-zA-Z0-9_]*"?\s*\)\s*(AS\s+"?[a-zA-Z_][a-zA-Z0-9_]*"?)?$/i;
+export function validateAggregate(expr, context = 'aggregate') {
+    if (!expr || typeof expr !== 'string' || !SAFE_AGGREGATE.test(expr.trim())) {
+        throw new Error(`Invalid SQL ${context}: "${expr}". Aggregates must be simple function calls like "AVG(value) AS avg_value".`);
+    }
+    return expr.trim();
+}
 /**
  * Build a CREATE TABLE + hypertable conversion statement.
  * TimescaleDB hypertables are regular tables converted via create_hypertable().
@@ -9,6 +23,7 @@ export function buildCreateHypertable(table, timeColumn, options = {}) {
     validateIdentifier(table, 'table name');
     validateIdentifier(timeColumn, 'column name');
     const { chunkInterval = '7 days' } = options;
+    validateInterval(chunkInterval, 'chunk interval');
     const sql = `SELECT create_hypertable('"${table}"', '${timeColumn}', chunk_time_interval => INTERVAL '${chunkInterval}', if_not_exists => TRUE)`;
     return { sql, values: [] };
 }
@@ -24,7 +39,7 @@ export function buildTimeBucket(table, timeColumn, bucketSize, options = {}) {
     const selectCols = [`time_bucket($${paramIndex++}, "${timeColumn}") AS bucket`];
     values.push(bucketSize);
     for (const agg of aggregates) {
-        selectCols.push(agg);
+        selectCols.push(validateAggregate(agg));
     }
     const whereClauses = [];
     if (where) {
@@ -35,7 +50,9 @@ export function buildTimeBucket(table, timeColumn, bucketSize, options = {}) {
         }
     }
     const whereStr = whereClauses.length > 0 ? ` WHERE ${whereClauses.join(' AND ')}` : '';
-    const orderStr = orderBy ? ` ORDER BY ${orderBy}` : '';
+    if (orderBy)
+        validateIdentifier(orderBy, 'ORDER BY column');
+    const orderStr = orderBy ? ` ORDER BY "${orderBy}"` : '';
     let limitStr = '';
     if (limit != null) {
         limitStr = ` LIMIT $${paramIndex++}`;
@@ -52,6 +69,8 @@ export function buildContinuousAggregate(viewName, table, timeColumn, bucketSize
     validateIdentifier(table, 'table name');
     validateIdentifier(timeColumn, 'column name');
     const { withNoData = false } = options;
+    validateInterval(bucketSize, 'bucket size');
+    aggregates.forEach(agg => validateAggregate(agg));
     const selectCols = [
         `time_bucket('${bucketSize}', "${timeColumn}") AS bucket`,
         ...aggregates,
@@ -65,6 +84,7 @@ export function buildContinuousAggregate(viewName, table, timeColumn, bucketSize
  */
 export function buildCompressionPolicy(table, compressAfter) {
     validateIdentifier(table, 'table name');
+    validateInterval(compressAfter, 'compress after interval');
     const sql = `SELECT add_compression_policy('"${table}"', INTERVAL '${compressAfter}', if_not_exists => TRUE)`;
     return { sql };
 }

package/package.json

@@ -4,7 +4,7 @@
     "stonyx-async",
     "stonyx-module"
   ],
-  "version": "0.2.1-alpha.37",
+  "version": "0.2.1-alpha.38",
   "description": "",
   "main": "dist/index.js",
   "type": "module",

package/src/mysql/migration-runner.ts

@@ -2,6 +2,7 @@ import { readFile, fileExists } from '@stonyx/utils/file';
 import path from 'path';
 import fs from 'fs/promises';
 import type { Pool, PoolConnection } from 'mysql2/promise';
+import { validateIdentifier } from './query-builder.js';
 
 interface ParsedMigration {
   up: string;
@@ -9,6 +10,7 @@ interface ParsedMigration {
 }
 
 export async function ensureMigrationsTable(pool: Pool, tableName: string = '__migrations'): Promise<void> {
+  validateIdentifier(tableName, 'migration table name');
   await pool.execute(`
     CREATE TABLE IF NOT EXISTS \`${tableName}\` (
       id INT AUTO_INCREMENT PRIMARY KEY,
@@ -19,6 +21,7 @@ export async function ensureMigrationsTable(pool: Pool, tableName: string = '__m
 }
 
 export async function getAppliedMigrations(pool: Pool, tableName: string = '__migrations'): Promise<string[]> {
+  validateIdentifier(tableName, 'migration table name');
   const [rows] = await pool.execute(
     `SELECT filename FROM \`${tableName}\` ORDER BY id ASC`
   ) as [Array<{ filename: string }>, unknown];
@@ -56,6 +59,7 @@ export function parseMigrationFile(content: string): ParsedMigration {
 }
 
 export async function applyMigration(pool: Pool, filename: string, upSql: string, tableName: string = '__migrations'): Promise<void> {
+  validateIdentifier(tableName, 'migration table name');
   const connection = await pool.getConnection();
 
   try {
@@ -83,6 +87,7 @@ export async function applyMigration(pool: Pool, filename: string, upSql: string
 }
 
 export async function rollbackMigration(pool: Pool, filename: string, downSql: string, tableName: string = '__migrations'): Promise<void> {
+  validateIdentifier(tableName, 'migration table name');
   const connection = await pool.getConnection();
 
   try {

package/src/postgres/connection.ts

@@ -1,4 +1,5 @@
 import type { Pool as PgPool } from 'pg';
+import { validateIdentifier } from './query-builder.js';
 
 interface PgConfig {
   host: string;
@@ -32,7 +33,8 @@ export async function getPool(pgConfig: PgConfig, extensions: string[] = ['vecto
 
   // Enable requested PostgreSQL extensions
   for (const ext of extensions) {
-    await pool.query(`CREATE EXTENSION IF NOT EXISTS ${ext}`);
+    validateIdentifier(ext, 'extension name');
+    await pool.query(`CREATE EXTENSION IF NOT EXISTS "${ext}"`);
   }
 
   return pool;

package/src/postgres/migration-runner.ts

@@ -2,8 +2,10 @@ import { readFile, fileExists } from '@stonyx/utils/file';
 import path from 'path';
 import fs from 'fs/promises';
 import type { Pool, PoolClient } from 'pg';
+import { validateIdentifier } from './query-builder.js';
 
 export async function ensureMigrationsTable(pool: Pool, tableName: string = '__migrations'): Promise<void> {
+  validateIdentifier(tableName, 'migration table name');
   await pool.query(`
     CREATE TABLE IF NOT EXISTS "${tableName}" (
       id INTEGER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
@@ -14,6 +16,7 @@ export async function ensureMigrationsTable(pool: Pool, tableName: string = '__m
 }
 
 export async function getAppliedMigrations(pool: Pool, tableName: string = '__migrations'): Promise<string[]> {
+  validateIdentifier(tableName, 'migration table name');
   const result = await pool.query(
     `SELECT filename FROM "${tableName}" ORDER BY id ASC`
   );
@@ -51,6 +54,7 @@ export function parseMigrationFile(content: string): { up: string; down: string
 }
 
 export async function applyMigration(pool: Pool, filename: string, upSql: string, tableName: string = '__migrations'): Promise<void> {
+  validateIdentifier(tableName, 'migration table name');
   const client: PoolClient = await pool.connect();
 
   try {
@@ -77,6 +81,7 @@ export async function applyMigration(pool: Pool, filename: string, upSql: string
 }
 
 export async function rollbackMigration(pool: Pool, filename: string, downSql: string, tableName: string = '__migrations'): Promise<void> {
+  validateIdentifier(tableName, 'migration table name');
   const client: PoolClient = await pool.connect();
 
   try {

package/src/postgres/type-map.ts

@@ -42,6 +42,10 @@ export function getPgType(attrType: string, transformFn?: TransformFn): string {
  * Returns a vector column type for the given dimensions.
  */
 export function getVectorType(dimensions: number): string {
+  if (!Number.isInteger(dimensions) || dimensions < 1 || dimensions > 16000) {
+    throw new Error(`Invalid vector dimensions: ${dimensions}. Must be an integer between 1 and 16000.`);
+  }
+
   return `vector(${dimensions})`;
 }
 

package/src/timescale/query-builder.ts

@@ -3,6 +3,26 @@ export { validateIdentifier, buildInsert, buildUpdate, buildDelete, buildSelect
 
 import { validateIdentifier } from '../postgres/query-builder.js';
 
+const SAFE_INTERVAL = /^\d+\s+(microsecond|millisecond|second|minute|hour|day|week|month|year)s?$/i;
+
+export function validateInterval(interval: string, context: string = 'interval'): string {
+  if (!interval || typeof interval !== 'string' || !SAFE_INTERVAL.test(interval.trim())) {
+    throw new Error(`Invalid SQL ${context}: "${interval}". Intervals must match pattern like "7 days", "1 hour", "30 minutes".`);
+  }
+
+  return interval.trim();
+}
+
+const SAFE_AGGREGATE = /^(COUNT|SUM|AVG|MIN|MAX|FIRST|LAST)\s*\(\s*"?[a-zA-Z_][a-zA-Z0-9_]*"?\s*\)\s*(AS\s+"?[a-zA-Z_][a-zA-Z0-9_]*"?)?$/i;
+
+export function validateAggregate(expr: string, context: string = 'aggregate'): string {
+  if (!expr || typeof expr !== 'string' || !SAFE_AGGREGATE.test(expr.trim())) {
+    throw new Error(`Invalid SQL ${context}: "${expr}". Aggregates must be simple function calls like "AVG(value) AS avg_value".`);
+  }
+
+  return expr.trim();
+}
+
 interface QueryResult {
   sql: string;
   values: unknown[];
@@ -36,6 +56,7 @@ export function buildCreateHypertable(table: string, timeColumn: string, options
   validateIdentifier(timeColumn, 'column name');
 
   const { chunkInterval = '7 days' } = options;
+  validateInterval(chunkInterval, 'chunk interval');
 
   const sql = `SELECT create_hypertable('"${table}"', '${timeColumn}', chunk_time_interval => INTERVAL '${chunkInterval}', if_not_exists => TRUE)`;
 
@@ -57,7 +78,7 @@ export function buildTimeBucket(table: string, timeColumn: string, bucketSize: s
   values.push(bucketSize);
 
   for (const agg of aggregates) {
-    selectCols.push(agg);
+    selectCols.push(validateAggregate(agg));
   }
 
   const whereClauses: string[] = [];
@@ -70,7 +91,8 @@ export function buildTimeBucket(table: string, timeColumn: string, bucketSize: s
   }
 
   const whereStr = whereClauses.length > 0 ? ` WHERE ${whereClauses.join(' AND ')}` : '';
-  const orderStr = orderBy ? ` ORDER BY ${orderBy}` : '';
+  if (orderBy) validateIdentifier(orderBy, 'ORDER BY column');
+  const orderStr = orderBy ? ` ORDER BY "${orderBy}"` : '';
   let limitStr = '';
   if (limit != null) {
     limitStr = ` LIMIT $${paramIndex++}`;
@@ -91,6 +113,8 @@ export function buildContinuousAggregate(viewName: string, table: string, timeCo
   validateIdentifier(timeColumn, 'column name');
 
   const { withNoData = false } = options;
+  validateInterval(bucketSize, 'bucket size');
+  aggregates.forEach(agg => validateAggregate(agg));
 
   const selectCols: string[] = [
     `time_bucket('${bucketSize}', "${timeColumn}") AS bucket`,
@@ -109,6 +133,7 @@ export function buildContinuousAggregate(viewName: string, table: string, timeCo
  */
 export function buildCompressionPolicy(table: string, compressAfter: string): SqlResult {
   validateIdentifier(table, 'table name');
+  validateInterval(compressAfter, 'compress after interval');
 
   const sql = `SELECT add_compression_policy('"${table}"', INTERVAL '${compressAfter}', if_not_exists => TRUE)`;