npm - agent-sql - Versions diffs - 0.3.1 → 0.3.3 - Mend

agent-sql 0.3.1 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.mjs +127 -3
package/package.json +1 -1

package/dist/index.mjs CHANGED Viewed

@@ -778,7 +778,12 @@ function checkWhereExpr(expr, allowed) {
 function defineSchema(schema) {
 	return schema;
 }
-function checkJoins(ast, schema) {
+function validateJoins(ast, schema) {
+	const ast2 = checkJoinColumns(ast, schema);
+	if (!ast2.ok) return ast2;
+	return checkJoinContinuity(ast);
+}
+function checkJoinColumns(ast, schema) {
 	if (schema === void 0) {
 		if (ast.joins.length > 0) return Err(new SanitiseError("No joins allowed when using simple API without schema."));
 		return Ok(ast);
@@ -788,7 +793,10 @@ function checkJoins(ast, schema) {
 		const joinSettings = schema[join.table.name];
 		if (joinSettings === void 0) return Err(new SanitiseError(`Table ${join.table.name} is not allowed`));
 		if (join.condition === null || join.condition.type === "join_using" || join.condition.expr.type !== "where_comparison" || join.condition.expr.operator !== "=" || join.condition.expr.left.type !== "where_value" || join.condition.expr.left.kind !== "column_ref" || join.condition.expr.right.type !== "where_value" || join.condition.expr.right.kind !== "column_ref") return Err(new SanitiseError("Only JOIN ON column_ref = column_ref supported"));
-		const { joining, foreign } = getJoinTableRef(join.table.name, join.condition.expr.left.ref, join.condition.expr.right.ref);
+		const leftRef = join.condition.expr.left.ref;
+		const rightRef = join.condition.expr.right.ref;
+		if (leftRef.table !== join.table.name && rightRef.table !== join.table.name) return Err(new SanitiseError(`JOIN ${join.table.name} ON clause does not reference ${join.table.name}`));
+		const { joining, foreign } = getJoinTableRef(join.table.name, leftRef, rightRef);
 		const joinTableCol = joinSettings[joining.name];
 		if (joinTableCol === void 0) return Err(new SanitiseError(`Tried to join using ${join.table.name}.${joining.name}`));
 		if (joinTableCol === null) {
@@ -811,6 +819,122 @@ function getJoinTableRef(joinTableName, left, right) {
 		foreign: left
 	};
 }
+/**
+* Validates that all tables in the query's FROM/JOIN clauses form a single
+* connected component via the ON predicates. A disconnected table would produce
+* an implicit cross product which can leak data across tenants.
+*
+* Returns the AST unchanged if valid, or a SanitiseError listing the
+* disconnected tables.
+*/
+function checkJoinContinuity(ast) {
+	if (ast.joins.length === 0) return Ok(ast);
+	const tables = /* @__PURE__ */ new Set();
+	tables.add(ast.from.table.name);
+	for (const join of ast.joins) tables.add(join.table.name);
+	if (tables.size <= 1) return Ok(ast);
+	const adjacency = /* @__PURE__ */ new Map();
+	for (const table of tables) adjacency.set(table, /* @__PURE__ */ new Set());
+	for (const join of ast.joins) {
+		if (join.condition === null) continue;
+		if (join.condition.type === "join_using") continue;
+		const referencedTables = /* @__PURE__ */ new Set();
+		collectTableRefsFromExpr(join.condition.expr, referencedTables);
+		const relevantTables = [];
+		for (const t of referencedTables) if (tables.has(t)) relevantTables.push(t);
+		for (let i = 0; i < relevantTables.length; i++) for (let j = i + 1; j < relevantTables.length; j++) {
+			adjacency.get(relevantTables[i]).add(relevantTables[j]);
+			adjacency.get(relevantTables[j]).add(relevantTables[i]);
+		}
+	}
+	const start = ast.from.table.name;
+	const visited = /* @__PURE__ */ new Set();
+	const queue = [start];
+	visited.add(start);
+	while (queue.length > 0) {
+		const current = queue.shift();
+		for (const neighbor of adjacency.get(current) ?? []) if (!visited.has(neighbor)) {
+			visited.add(neighbor);
+			queue.push(neighbor);
+		}
+	}
+	if (visited.size === tables.size) return Ok(ast);
+	const disconnected = [];
+	for (const table of tables) if (!visited.has(table)) disconnected.push(table);
+	disconnected.sort();
+	return Err(new SanitiseError(`Disconnected table(s) in query: ${disconnected.join(", ")}. All tables must be connected via JOIN ON predicates.`));
+}
+/** Recursively collect table names from column references in a WhereExpr. */
+function collectTableRefsFromExpr(expr, out) {
+	switch (expr.type) {
+		case "where_and":
+		case "where_or":
+			collectTableRefsFromExpr(expr.left, out);
+			collectTableRefsFromExpr(expr.right, out);
+			break;
+		case "where_not":
+			collectTableRefsFromExpr(expr.expr, out);
+			break;
+		case "where_comparison":
+			collectTableRefsFromValue(expr.left, out);
+			collectTableRefsFromValue(expr.right, out);
+			break;
+		case "where_is_null":
+			collectTableRefsFromValue(expr.expr, out);
+			break;
+		case "where_is_bool":
+			collectTableRefsFromValue(expr.expr, out);
+			break;
+		case "where_between":
+			collectTableRefsFromValue(expr.expr, out);
+			collectTableRefsFromValue(expr.low, out);
+			collectTableRefsFromValue(expr.high, out);
+			break;
+		case "where_in":
+			collectTableRefsFromValue(expr.expr, out);
+			for (const v of expr.list) collectTableRefsFromValue(v, out);
+			break;
+		case "where_like":
+			collectTableRefsFromValue(expr.expr, out);
+			collectTableRefsFromValue(expr.pattern, out);
+			break;
+		case "where_ts_match":
+			collectTableRefsFromValue(expr.left, out);
+			collectTableRefsFromValue(expr.right, out);
+			break;
+	}
+}
+/** Recursively collect table names from column references in a WhereValue. */
+function collectTableRefsFromValue(val, out) {
+	switch (val.type) {
+		case "where_value":
+			if (val.kind === "column_ref" && val.ref.table) out.add(val.ref.table);
+			else if (val.kind === "func_call") {
+				if (val.func.args.kind === "args") for (const arg of val.func.args.args) collectTableRefsFromValue(arg, out);
+			}
+			break;
+		case "where_arith":
+		case "where_jsonb_op":
+		case "where_pgvector_op":
+			collectTableRefsFromValue(val.left, out);
+			collectTableRefsFromValue(val.right, out);
+			break;
+		case "where_unary_minus":
+			collectTableRefsFromValue(val.expr, out);
+			break;
+		case "case_expr":
+			if (val.subject) collectTableRefsFromValue(val.subject, out);
+			for (const w of val.whens) {
+				collectTableRefsFromValue(w.condition, out);
+				collectTableRefsFromValue(w.result, out);
+			}
+			if (val.else) collectTableRefsFromValue(val.else, out);
+			break;
+		case "cast_expr":
+			collectTableRefsFromValue(val.expr, out);
+			break;
+	}
+}
 //#endregion
 //#region src/graph.ts
 function insertNeededGuardJoins(ast, schema, guards, autoJoin) {
@@ -7375,7 +7499,7 @@ function privateAgentSql(sql, { guards: guardsRaw, schema, autoJoin, limit, pret
 	if (!guards.ok) throw guards.error;
 	const ast = parseSql(sql);
 	if (!ast.ok) return returnOrThrow(ast, throws);
-	const ast2 = checkJoins(ast.data, schema);
+	const ast2 = validateJoins(ast.data, schema);
 	if (!ast2.ok) return returnOrThrow(ast2, throws);
 	const ast3 = checkFunctions(ast2.data, db, allowExtraFunctions);
 	if (!ast3.ok) return returnOrThrow(ast3, throws);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agent-sql",
-  "version": "0.3.1",
+  "version": "0.3.3",
   "description": "A starter for creating a TypeScript package.",
   "keywords": [
     "agent",