@vibecheckai/cli 3.4.0 → 3.5.0

package/bin/runners/lib/engines/database-patterns-engine.js

@@ -0,0 +1,429 @@
+/**
+ * Database Patterns Engine
+ * Detects:
+ * - N+1 query patterns
+ * - Missing transaction boundaries
+ * - Unbounded queries (no LIMIT)
+ * - Raw SQL injection risks (beyond basic detection)
+ * - Missing indexes (suggested)
+ * - Connection pool issues
+ * - ORM anti-patterns
+ * - Missing error handling on DB operations
+ */
+
+const { getAST } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
+
+function snippetForLine(lines, line) {
+  return lines[line - 1] ? lines[line - 1].trim() : "";
+}
+
+/**
+ * ORM detection patterns
+ */
+const ORM_PATTERNS = {
+  prisma: {
+    import: /from\s+['"]@prisma\/client['"]/,
+    findMany: /\.findMany\s*\(/,
+    findFirst: /\.findFirst\s*\(/,
+    findUnique: /\.findUnique\s*\(/,
+    create: /\.create\s*\(/,
+    update: /\.update\s*\(/,
+    delete: /\.delete\s*\(/,
+    transaction: /\$transaction/,
+    rawQuery: /\$queryRaw|\$executeRaw/,
+  },
+  drizzle: {
+    import: /from\s+['"]drizzle-orm['"]/,
+    select: /\.select\s*\(/,
+    insert: /\.insert\s*\(/,
+    update: /\.update\s*\(/,
+    delete: /\.delete\s*\(/,
+    rawQuery: /sql`|sql\(/,
+  },
+  typeorm: {
+    import: /from\s+['"]typeorm['"]/,
+    find: /\.find\s*\(/,
+    findOne: /\.findOne\s*\(/,
+    save: /\.save\s*\(/,
+    remove: /\.remove\s*\(/,
+    transaction: /\.transaction\s*\(/,
+    rawQuery: /\.query\s*\(/,
+  },
+  sequelize: {
+    import: /from\s+['"]sequelize['"]/,
+    findAll: /\.findAll\s*\(/,
+    findOne: /\.findOne\s*\(/,
+    create: /\.create\s*\(/,
+    update: /\.update\s*\(/,
+    destroy: /\.destroy\s*\(/,
+    transaction: /\.transaction\s*\(/,
+    rawQuery: /\.query\s*\(/,
+  },
+  mongoose: {
+    import: /from\s+['"]mongoose['"]/,
+    find: /\.find\s*\(/,
+    findOne: /\.findOne\s*\(/,
+    findById: /\.findById\s*\(/,
+    save: /\.save\s*\(/,
+    aggregate: /\.aggregate\s*\(/,
+  },
+  knex: {
+    import: /from\s+['"]knex['"]/,
+    select: /\.select\s*\(/,
+    insert: /\.insert\s*\(/,
+    update: /\.update\s*\(/,
+    delete: /\.del\s*\(|\.delete\s*\(/,
+    transaction: /\.transaction\s*\(/,
+    rawQuery: /\.raw\s*\(/,
+  },
+};
+
+/**
+ * Detect which ORM is being used
+ */
+function detectORM(code) {
+  for (const [name, patterns] of Object.entries(ORM_PATTERNS)) {
+    if (patterns.import.test(code)) {
+      return name;
+    }
+  }
+  return null;
+}
+
+/**
+ * Analyze database patterns
+ */
+function analyzeDatabasePatterns(code, filePath) {
+  const findings = [];
+  
+  if (shouldExcludeFile(filePath)) return findings;
+  if (isTestContext(code, filePath)) return findings;
+  if (hasIgnoreDirective(code, "database-patterns")) return findings;
+  
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+  
+  const lines = code.split("\n");
+  const orm = detectORM(code);
+  
+  // If no ORM detected, skip most checks
+  if (!orm) return findings;
+  
+  // Track queries for N+1 detection
+  const queriesInLoops = [];
+  let inLoop = false;
+  let loopDepth = 0;
+  
+  // Track if we're in a transaction
+  let inTransaction = false;
+  
+  traverse(ast, {
+    // Track loop entry
+    ForStatement: {
+      enter() { inLoop = true; loopDepth++; },
+      exit() { loopDepth--; if (loopDepth === 0) inLoop = false; },
+    },
+    ForInStatement: {
+      enter() { inLoop = true; loopDepth++; },
+      exit() { loopDepth--; if (loopDepth === 0) inLoop = false; },
+    },
+    ForOfStatement: {
+      enter() { inLoop = true; loopDepth++; },
+      exit() { loopDepth--; if (loopDepth === 0) inLoop = false; },
+    },
+    WhileStatement: {
+      enter() { inLoop = true; loopDepth++; },
+      exit() { loopDepth--; if (loopDepth === 0) inLoop = false; },
+    },
+    
+    // Check for map/forEach with DB calls (potential N+1)
+    CallExpression(path) {
+      const node = path.node;
+      const callee = node.callee;
+      const loc = node.loc?.start;
+      if (!loc) return;
+      
+      // Check for array.map/forEach that might contain DB queries
+      if (t.isMemberExpression(callee) && t.isIdentifier(callee.property)) {
+        const methodName = callee.property.name;
+        
+        if (["map", "forEach", "filter", "reduce"].includes(methodName)) {
+          const callback = node.arguments[0];
+          
+          if (callback && (t.isArrowFunctionExpression(callback) || t.isFunctionExpression(callback))) {
+            // Check if callback contains DB operations
+            let hasDBCall = false;
+            let dbCallLoc = null;
+            
+            path.traverse({
+              CallExpression(innerPath) {
+                const innerNode = innerPath.node;
+                const innerCallee = innerNode.callee;
+                
+                // Check for Prisma patterns
+                if (orm === "prisma" && t.isMemberExpression(innerCallee)) {
+                  const prop = innerCallee.property;
+                  if (t.isIdentifier(prop) && 
+                      ["findUnique", "findFirst", "findMany", "create", "update", "delete"].includes(prop.name)) {
+                    hasDBCall = true;
+                    dbCallLoc = innerNode.loc?.start;
+                  }
+                }
+                
+                // Check for await inside the callback (common pattern)
+                if (t.isAwaitExpression(innerPath.parent)) {
+                  // Check if awaiting a DB operation
+                  const awaitedCode = code.substring(innerNode.start, innerNode.end);
+                  const dbPatterns = [
+                    /findUnique|findFirst|findMany|findOne|findById/,
+                    /\.select\(|\.find\(|\.query\(/,
+                  ];
+                  
+                  if (dbPatterns.some(p => p.test(awaitedCode))) {
+                    hasDBCall = true;
+                    dbCallLoc = innerNode.loc?.start;
+                  }
+                }
+              },
+            });
+            
+            if (hasDBCall) {
+              findings.push({
+                type: "n_plus_1_query",
+                severity: "WARN",
+                category: "DatabasePatterns",
+                file: filePath,
+                line: dbCallLoc?.line || loc.line,
+                column: 0,
+                title: "Potential N+1 query pattern",
+                message: `Database query inside ${methodName}() callback. This executes a query for each item.`,
+                codeSnippet: snippetForLine(lines, dbCallLoc?.line || loc.line),
+                confidence: "high",
+                fixHint: orm === "prisma" 
+                  ? "Use include/select to fetch related data in one query, or use Prisma's createMany/updateMany"
+                  : "Batch queries or use eager loading to reduce database roundtrips",
+              });
+            }
+          }
+        }
+      }
+      
+      // Detect DB operations in loops
+      if (inLoop && t.isMemberExpression(callee)) {
+        const prop = callee.property;
+        const ormPatterns = ORM_PATTERNS[orm];
+        
+        if (ormPatterns && t.isIdentifier(prop)) {
+          const isDbOp = Object.entries(ormPatterns)
+            .filter(([key]) => key !== "import" && key !== "transaction" && key !== "rawQuery")
+            .some(([_, pattern]) => pattern.test(`.${prop.name}(`));
+          
+          if (isDbOp) {
+            findings.push({
+              type: "query_in_loop",
+              severity: "WARN",
+              category: "DatabasePatterns",
+              file: filePath,
+              line: loc.line,
+              column: loc.column,
+              title: "Database query inside loop",
+              message: `${prop.name}() called in a loop may cause performance issues.`,
+              codeSnippet: snippetForLine(lines, loc.line),
+              confidence: "high",
+              fixHint: "Batch operations or fetch all data before the loop",
+            });
+          }
+        }
+      }
+      
+      // Check for findMany/findAll without take/limit
+      if (t.isMemberExpression(callee) && t.isIdentifier(callee.property)) {
+        const methodName = callee.property.name;
+        
+        if (["findMany", "findAll", "find"].includes(methodName)) {
+          const args = node.arguments;
+          let hasLimit = false;
+          
+          if (args.length > 0 && t.isObjectExpression(args[0])) {
+            const props = args[0].properties;
+            hasLimit = props.some(p => 
+              t.isObjectProperty(p) && 
+              t.isIdentifier(p.key) &&
+              ["take", "limit", "first", "last"].includes(p.key.name)
+            );
+          }
+          
+          if (!hasLimit) {
+            findings.push({
+              type: "unbounded_query",
+              severity: "INFO",
+              category: "DatabasePatterns",
+              file: filePath,
+              line: loc.line,
+              column: loc.column,
+              title: "Query without limit",
+              message: `${methodName}() without limit may return excessive data.`,
+              codeSnippet: snippetForLine(lines, loc.line),
+              confidence: "low",
+              fixHint: orm === "prisma" 
+                ? "Add { take: 100 } or implement pagination"
+                : "Add a limit parameter or implement pagination",
+            });
+          }
+        }
+      }
+      
+      // Check for missing transaction in multiple writes
+      // (This is a heuristic check)
+      if (t.isMemberExpression(callee) && t.isIdentifier(callee.property)) {
+        const methodName = callee.property.name;
+        const writeMethods = ["create", "update", "delete", "upsert", "insert", "save", "remove", "destroy"];
+        
+        if (writeMethods.includes(methodName) && !inTransaction) {
+          // Check if there are multiple write operations in the same function
+          const fnParent = path.getFunctionParent();
+          if (fnParent) {
+            let writeCount = 0;
+            
+            fnParent.traverse({
+              CallExpression(innerPath) {
+                const innerCallee = innerPath.node.callee;
+                if (t.isMemberExpression(innerCallee) && t.isIdentifier(innerCallee.property)) {
+                  if (writeMethods.includes(innerCallee.property.name)) {
+                    writeCount++;
+                  }
+                }
+              },
+            });
+            
+            if (writeCount >= 2) {
+              // Check if function uses transaction
+              const fnCode = code.substring(fnParent.node.start, fnParent.node.end);
+              const hasTransaction = /\$transaction|\.transaction\s*\(|BEGIN|COMMIT/.test(fnCode);
+              
+              if (!hasTransaction) {
+                findings.push({
+                  type: "missing_transaction",
+                  severity: "INFO",
+                  category: "DatabasePatterns",
+                  file: filePath,
+                  line: loc.line,
+                  column: loc.column,
+                  title: "Multiple writes without transaction",
+                  message: `Function has ${writeCount} write operations without explicit transaction.`,
+                  codeSnippet: snippetForLine(lines, loc.line),
+                  confidence: "low",
+                  fixHint: orm === "prisma"
+                    ? "Wrap in prisma.$transaction([...])"
+                    : "Wrap operations in a transaction for atomicity",
+                });
+              }
+            }
+          }
+        }
+      }
+      
+      // Check for raw queries (SQL injection risk)
+      if (t.isMemberExpression(callee) && t.isIdentifier(callee.property)) {
+        const methodName = callee.property.name;
+        const rawMethods = ["query", "raw", "$queryRaw", "$executeRaw", "queryRaw", "executeRaw"];
+        
+        if (rawMethods.includes(methodName)) {
+          const args = node.arguments;
+          
+          // Check if using template literal (safer) vs string concatenation
+          if (args.length > 0) {
+            const queryArg = args[0];
+            
+            // String concatenation or interpolation is risky
+            if (t.isBinaryExpression(queryArg, { operator: "+" }) ||
+                (t.isTemplateLiteral(queryArg) && queryArg.expressions.length > 0)) {
+              
+              // Check if expressions are parameterized
+              let hasUnsafeInterpolation = false;
+              
+              if (t.isTemplateLiteral(queryArg)) {
+                // Prisma's Prisma.sql`` is safe, but direct string template isn't
+                const parentCallee = path.parentPath?.node?.callee;
+                const isPrismaSql = t.isMemberExpression(parentCallee) && 
+                  t.isIdentifier(parentCallee.object, { name: "Prisma" }) &&
+                  t.isIdentifier(parentCallee.property, { name: "sql" });
+                
+                if (!isPrismaSql) {
+                  hasUnsafeInterpolation = true;
+                }
+              } else {
+                hasUnsafeInterpolation = true;
+              }
+              
+              if (hasUnsafeInterpolation) {
+                findings.push({
+                  type: "raw_query_interpolation",
+                  severity: "WARN",
+                  category: "DatabasePatterns",
+                  file: filePath,
+                  line: loc.line,
+                  column: loc.column,
+                  title: "Dynamic values in raw query",
+                  message: "Raw query with string interpolation may be vulnerable to SQL injection.",
+                  codeSnippet: snippetForLine(lines, loc.line),
+                  confidence: "med",
+                  fixHint: orm === "prisma"
+                    ? "Use Prisma.sql`` tagged template or $queryRaw with Prisma.sql"
+                    : "Use parameterized queries with placeholders ($1, ?, :name)",
+                });
+              }
+            }
+          }
+        }
+      }
+    },
+    
+    // Check for missing error handling on DB operations
+    AwaitExpression(path) {
+      const node = path.node;
+      const argument = node.argument;
+      const loc = node.loc?.start;
+      if (!loc) return;
+      
+      // Check if it's a DB operation
+      if (t.isCallExpression(argument) && t.isMemberExpression(argument.callee)) {
+        const prop = argument.callee.property;
+        const dbMethods = ["findMany", "findFirst", "findUnique", "findOne", "find", "findAll",
+                          "create", "update", "delete", "save", "query", "execute"];
+        
+        if (t.isIdentifier(prop) && dbMethods.includes(prop.name)) {
+          // Check if inside try-catch
+          const tryParent = path.findParent(p => p.isTryStatement());
+          
+          if (!tryParent) {
+            findings.push({
+              type: "db_no_error_handling",
+              severity: "INFO",
+              category: "DatabasePatterns",
+              file: filePath,
+              line: loc.line,
+              column: loc.column,
+              title: "Database operation without error handling",
+              message: `${prop.name}() should be wrapped in try-catch for proper error handling.`,
+              codeSnippet: snippetForLine(lines, loc.line),
+              confidence: "low",
+              fixHint: "Wrap in try-catch to handle potential database errors",
+            });
+          }
+        }
+      }
+    },
+  });
+  
+  return findings;
+}
+
+module.exports = {
+  analyzeDatabasePatterns,
+  detectORM,
+  ORM_PATTERNS,
+};