proxql 0.1.0

package/dist/index.js

@@ -0,0 +1,766 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  RuleSeverity: () => RuleSeverity,
+  SecurityConfig: () => SecurityConfig,
+  ValidationResult: () => ValidationResult,
+  Validator: () => Validator,
+  default: () => index_default,
+  isSafe: () => isSafe,
+  validate: () => validate
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/validator.ts
+var import_node_sql_parser = require("node-sql-parser");
+
+// src/result.ts
+var ValidationResult = class _ValidationResult {
+  /** Whether the query passed all validation checks */
+  isSafe;
+  /** Explanation if the query was blocked (undefined if safe) */
+  reason;
+  /** The type of SQL statement (SELECT, INSERT, DROP, etc.) */
+  statementType;
+  /** Tables referenced in the query */
+  tables;
+  constructor(data) {
+    this.isSafe = data.isSafe;
+    this.reason = data.reason;
+    this.statementType = data.statementType;
+    this.tables = data.tables ?? [];
+  }
+  /**
+   * Create a safe validation result.
+   */
+  static safe(meta = {}) {
+    return new _ValidationResult({ isSafe: true, ...meta });
+  }
+  /**
+   * Create an unsafe validation result with a reason.
+   */
+  static unsafe(reason, meta = {}) {
+    return new _ValidationResult({ isSafe: false, reason, ...meta });
+  }
+  /**
+   * Allow using ValidationResult in boolean context.
+   * Note: This is for documentation purposes; JS doesn't support operator overloading.
+   * Use result.isSafe directly.
+   */
+  valueOf() {
+    return this.isSafe;
+  }
+  toString() {
+    if (this.isSafe) {
+      return `ValidationResult(safe, type=${this.statementType ?? "unknown"})`;
+    }
+    return `ValidationResult(unsafe, reason="${this.reason}")`;
+  }
+};
+
+// src/security.ts
+var RuleSeverity = /* @__PURE__ */ ((RuleSeverity2) => {
+  RuleSeverity2["LOW"] = "LOW";
+  RuleSeverity2["MEDIUM"] = "MEDIUM";
+  RuleSeverity2["HIGH"] = "HIGH";
+  RuleSeverity2["CRITICAL"] = "CRITICAL";
+  return RuleSeverity2;
+})(RuleSeverity || {});
+var SEVERITY_ORDER = {
+  ["LOW" /* LOW */]: 1,
+  ["MEDIUM" /* MEDIUM */]: 2,
+  ["HIGH" /* HIGH */]: 3,
+  ["CRITICAL" /* CRITICAL */]: 4
+};
+function compareSeverity(a, b) {
+  return SEVERITY_ORDER[a] - SEVERITY_ORDER[b];
+}
+var SecurityConfig = class {
+  /** Whether security checks are enabled */
+  enabled;
+  /** Minimum severity level to check */
+  minimumSeverity;
+  /** Rule IDs that are disabled */
+  disabledRules;
+  /** If set, only these rules run (whitelist mode) */
+  enabledRules;
+  /** Whether LOW severity should block queries */
+  failOnLow;
+  constructor(options = {}) {
+    this.enabled = options.enabled ?? true;
+    if (typeof options.minimumSeverity === "string") {
+      this.minimumSeverity = RuleSeverity[options.minimumSeverity];
+    } else {
+      this.minimumSeverity = options.minimumSeverity ?? "HIGH" /* HIGH */;
+    }
+    if (Array.isArray(options.disabledRules)) {
+      this.disabledRules = new Set(options.disabledRules);
+    } else {
+      this.disabledRules = options.disabledRules ?? /* @__PURE__ */ new Set();
+    }
+    if (Array.isArray(options.enabledRules)) {
+      this.enabledRules = new Set(options.enabledRules);
+    } else if (options.enabledRules instanceof Set) {
+      this.enabledRules = options.enabledRules;
+    } else {
+      this.enabledRules = null;
+    }
+    this.failOnLow = options.failOnLow ?? false;
+  }
+  /**
+   * Check if a rule should run based on this configuration.
+   */
+  shouldRunRule(ruleId, severity) {
+    if (!this.enabled) return false;
+    if (this.disabledRules.has(ruleId)) return false;
+    if (this.enabledRules !== null && !this.enabledRules.has(ruleId)) {
+      return false;
+    }
+    if (compareSeverity(severity, this.minimumSeverity) < 0) {
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Check if a finding at this severity should fail validation.
+   */
+  shouldFail(severity) {
+    if (severity === "LOW" /* LOW */ && !this.failOnLow) {
+      return false;
+    }
+    return true;
+  }
+};
+
+// src/rules/index.ts
+var systemCommandRule = {
+  ruleId: "system-command",
+  name: "System Command Detection",
+  description: "Detects xp_cmdshell, xp_regread, and other system command functions",
+  severity: "CRITICAL" /* CRITICAL */,
+  check(sql) {
+    const patterns = [
+      /\bxp_cmdshell\s*\(/i,
+      /\bxp_regread\s*\(/i,
+      /\bxp_regwrite\s*\(/i,
+      /\bxp_servicecontrol\s*\(/i,
+      /\bsp_oacreate\s*\(/i,
+      /\bsp_oamethod\s*\(/i
+    ];
+    for (const pattern of patterns) {
+      const match = sql.match(pattern);
+      if (match) {
+        const funcName = match[0].replace(/\s*\($/, "");
+        return {
+          ruleId: this.ruleId,
+          message: `System command function '${funcName}' detected`,
+          severity: this.severity
+        };
+      }
+    }
+    return null;
+  }
+};
+var fileAccessRule = {
+  ruleId: "file-access",
+  name: "File Access Detection",
+  description: "Detects INTO OUTFILE, LOAD DATA, COPY, pg_read_file, etc.",
+  severity: "CRITICAL" /* CRITICAL */,
+  check(sql) {
+    const patterns = [
+      { pattern: /\bINTO\s+OUTFILE\b/i, message: "INTO OUTFILE clause detected" },
+      { pattern: /\bINTO\s+DUMPFILE\b/i, message: "INTO DUMPFILE clause detected" },
+      { pattern: /\bLOAD\s+DATA\s+INFILE\b/i, message: "LOAD DATA INFILE detected" },
+      { pattern: /\bLOAD_FILE\s*\(/i, message: "LOAD_FILE function detected" },
+      { pattern: /\bpg_read_file\s*\(/i, message: "Dangerous file function 'pg_read_file' detected" },
+      { pattern: /\bpg_read_binary_file\s*\(/i, message: "pg_read_binary_file function detected" },
+      { pattern: /\bCOPY\s+\w+\s+(TO|FROM)\b/i, message: "COPY command detected" }
+    ];
+    for (const { pattern, message } of patterns) {
+      if (pattern.test(sql)) {
+        return {
+          ruleId: this.ruleId,
+          message,
+          severity: this.severity
+        };
+      }
+    }
+    return null;
+  }
+};
+var dynamicSqlRule = {
+  ruleId: "dynamic-sql",
+  name: "Dynamic SQL Detection",
+  description: "Detects EXEC, EXECUTE, PREPARE statements",
+  severity: "CRITICAL" /* CRITICAL */,
+  check(sql) {
+    const patterns = [
+      { pattern: /\bEXEC\s*\(/i, message: "EXEC statement detected" },
+      { pattern: /\bEXECUTE\s+/i, message: "EXECUTE statement detected" },
+      { pattern: /\bPREPARE\s+\w+\s+FROM\b/i, message: "PREPARE statement detected" },
+      { pattern: /\bsp_executesql\b/i, message: "sp_executesql detected" }
+    ];
+    for (const { pattern, message } of patterns) {
+      if (pattern.test(sql)) {
+        return {
+          ruleId: this.ruleId,
+          message,
+          severity: this.severity
+        };
+      }
+    }
+    return null;
+  }
+};
+var privilegeEscalationRule = {
+  ruleId: "privilege-escalation",
+  name: "Privilege Escalation Detection",
+  description: "Detects CREATE USER, ALTER USER, SET ROLE",
+  severity: "CRITICAL" /* CRITICAL */,
+  check(sql) {
+    const patterns = [
+      { pattern: /\bCREATE\s+USER\b/i, message: "CREATE USER detected" },
+      { pattern: /\bALTER\s+USER\b/i, message: "ALTER USER detected" },
+      { pattern: /\bSET\s+ROLE\b/i, message: "SET ROLE detected" },
+      { pattern: /\bGRANT\b/i, message: "GRANT statement detected" },
+      { pattern: /\bSUPERUSER\b/i, message: "SUPERUSER privilege detected" }
+    ];
+    for (const { pattern, message } of patterns) {
+      if (pattern.test(sql)) {
+        return {
+          ruleId: this.ruleId,
+          message,
+          severity: this.severity
+        };
+      }
+    }
+    return null;
+  }
+};
+var storedProcedureRule = {
+  ruleId: "stored-procedure",
+  name: "Stored Procedure Detection",
+  description: "Detects CALL statements",
+  severity: "HIGH" /* HIGH */,
+  check(sql) {
+    if (/\bCALL\s+\w+/i.test(sql)) {
+      return {
+        ruleId: this.ruleId,
+        message: "CALL statement detected",
+        severity: this.severity
+      };
+    }
+    return null;
+  }
+};
+var dangerousFunctionsRule = {
+  ruleId: "dangerous-functions",
+  name: "Dangerous Functions Detection",
+  description: "Detects SLEEP, BENCHMARK, and similar DoS-prone functions",
+  severity: "MEDIUM" /* MEDIUM */,
+  check(sql) {
+    const patterns = [
+      { pattern: /\bSLEEP\s*\(/i, message: "SLEEP function detected (timing attack)" },
+      { pattern: /\bpg_sleep\s*\(/i, message: "pg_sleep function detected (timing attack)" },
+      { pattern: /\bBENCHMARK\s*\(/i, message: "BENCHMARK function detected (DoS vector)" },
+      { pattern: /\bWAITFOR\s+DELAY\b/i, message: "WAITFOR DELAY detected (timing attack)" }
+    ];
+    for (const { pattern, message } of patterns) {
+      if (pattern.test(sql)) {
+        return {
+          ruleId: this.ruleId,
+          message,
+          severity: this.severity
+        };
+      }
+    }
+    return null;
+  }
+};
+var hexEncodingRule = {
+  ruleId: "hex-encoding",
+  name: "Hex Encoding Detection",
+  description: "Detects hex-encoded SQL keywords like 0x44524F50 (DROP)",
+  severity: "MEDIUM" /* MEDIUM */,
+  check(sql) {
+    const hexPattern = /0x([0-9A-Fa-f]{6,})/g;
+    const dangerousKeywords = ["DROP", "DELETE", "TRUNCATE", "ALTER", "EXEC", "UNION", "SELECT"];
+    let match;
+    while ((match = hexPattern.exec(sql)) !== null) {
+      try {
+        const hexValue = match[1];
+        let decoded = "";
+        for (let i = 0; i < hexValue.length; i += 2) {
+          decoded += String.fromCharCode(parseInt(hexValue.substr(i, 2), 16));
+        }
+        const decodedUpper = decoded.toUpperCase();
+        for (const keyword of dangerousKeywords) {
+          if (decodedUpper.includes(keyword)) {
+            return {
+              ruleId: this.ruleId,
+              message: `Hex-encoded SQL keyword detected: '${keyword}' in ${match[0]}`,
+              severity: this.severity
+            };
+          }
+        }
+      } catch {
+      }
+    }
+    return null;
+  }
+};
+var charFunctionRule = {
+  ruleId: "char-function",
+  name: "CHAR Function Detection",
+  description: "Detects CHAR() function constructing SQL keywords",
+  severity: "MEDIUM" /* MEDIUM */,
+  check(sql) {
+    const dangerousKeywords = ["DROP", "DELETE", "TRUNCATE", "ALTER", "EXEC", "UNION"];
+    const charPattern = /\bCH(?:AR|R)\s*\(\s*(\d+)\s*\)/gi;
+    const chars = [];
+    let match;
+    while ((match = charPattern.exec(sql)) !== null) {
+      chars.push(parseInt(match[1], 10));
+    }
+    if (chars.length >= 4) {
+      const constructed = chars.map((c) => String.fromCharCode(c)).join("");
+      for (const keyword of dangerousKeywords) {
+        if (constructed.toUpperCase().includes(keyword)) {
+          return {
+            ruleId: this.ruleId,
+            message: `CHAR()-constructed SQL keyword detected: '${keyword}'`,
+            severity: this.severity
+          };
+        }
+      }
+    }
+    return null;
+  }
+};
+var stringConcatRule = {
+  ruleId: "string-concat",
+  name: "String Concatenation Detection",
+  description: "Detects string concatenation building keywords like 'DR' || 'OP'",
+  severity: "MEDIUM" /* MEDIUM */,
+  check(sql) {
+    const dangerousKeywords = ["DROP", "DELETE", "TRUNCATE", "ALTER", "EXEC", "UNION"];
+    const concatPattern = /'([^']+)'\s*\|\|\s*'([^']+)'/g;
+    let match;
+    while ((match = concatPattern.exec(sql)) !== null) {
+      const combined = (match[1] + match[2]).toUpperCase();
+      for (const keyword of dangerousKeywords) {
+        if (combined.includes(keyword)) {
+          return {
+            ruleId: this.ruleId,
+            message: `String concatenation building '${keyword}' detected`,
+            severity: this.severity
+          };
+        }
+      }
+    }
+    return null;
+  }
+};
+var unicodeObfuscationRule = {
+  ruleId: "unicode-obfuscation",
+  name: "Unicode Obfuscation Detection",
+  description: "Detects Cyrillic/Greek characters masquerading as ASCII",
+  severity: "HIGH" /* HIGH */,
+  check(sql) {
+    const homoglyphs = {
+      "\u0430": "a",
+      // Cyrillic а
+      "\u0435": "e",
+      // Cyrillic е
+      "\u043E": "o",
+      // Cyrillic о
+      "\u0440": "p",
+      // Cyrillic р
+      "\u0441": "c",
+      // Cyrillic с
+      "\u0445": "x",
+      // Cyrillic х
+      "\u0443": "y",
+      // Cyrillic у
+      "\u0456": "i",
+      // Cyrillic і
+      "\u0391": "A",
+      // Greek Α
+      "\u0392": "B",
+      // Greek Β
+      "\u0395": "E",
+      // Greek Ε
+      "\u0397": "H",
+      // Greek Η
+      "\u0399": "I",
+      // Greek Ι
+      "\u039A": "K",
+      // Greek Κ
+      "\u039C": "M",
+      // Greek Μ
+      "\u039D": "N",
+      // Greek Ν
+      "\u039F": "O",
+      // Greek Ο
+      "\u03A1": "P",
+      // Greek Ρ
+      "\u03A4": "T",
+      // Greek Τ
+      "\u03A7": "X",
+      // Greek Χ
+      "\u03A5": "Y",
+      // Greek Υ
+      "\u0417": "Z"
+      // Greek Ζ
+    };
+    for (const char of sql) {
+      if (homoglyphs[char]) {
+        return {
+          ruleId: this.ruleId,
+          message: `Unicode homoglyphs detected - possible keyword obfuscation`,
+          severity: this.severity
+        };
+      }
+    }
+    return null;
+  }
+};
+var transactionAbuseRule = {
+  ruleId: "transaction-abuse",
+  name: "Transaction Abuse Detection",
+  description: "Detects LOCK TABLE and other DoS vectors",
+  severity: "MEDIUM" /* MEDIUM */,
+  check(sql) {
+    if (/\bLOCK\s+TABLE\b/i.test(sql)) {
+      return {
+        ruleId: this.ruleId,
+        message: "LOCK TABLE detected (DoS vector)",
+        severity: this.severity
+      };
+    }
+    return null;
+  }
+};
+var metadataAccessRule = {
+  ruleId: "metadata-access",
+  name: "Metadata Access Detection",
+  description: "Detects access to information_schema, pg_catalog, etc.",
+  severity: "LOW" /* LOW */,
+  check(sql) {
+    const patterns = [
+      { pattern: /\binformation_schema\b/i, message: "Access to information_schema detected" },
+      { pattern: /\bpg_catalog\b/i, message: "Access to pg_catalog detected" },
+      { pattern: /\bpg_\w+\b/i, message: "Access to PostgreSQL system table detected" },
+      { pattern: /\bmysql\.\w+\b/i, message: "Access to MySQL system table detected" },
+      { pattern: /\bsys\.\w+\b/i, message: "Access to sys schema detected" }
+    ];
+    for (const { pattern, message } of patterns) {
+      if (pattern.test(sql)) {
+        return {
+          ruleId: this.ruleId,
+          message,
+          severity: this.severity
+        };
+      }
+    }
+    return null;
+  }
+};
+var schemaCommandRule = {
+  ruleId: "schema-commands",
+  name: "Schema Command Detection",
+  description: "Detects SHOW TABLES, DESCRIBE, EXPLAIN",
+  severity: "LOW" /* LOW */,
+  check(sql) {
+    const patterns = [
+      { pattern: /\bSHOW\s+TABLES\b/i, message: "SHOW TABLES detected" },
+      { pattern: /\bSHOW\s+DATABASES\b/i, message: "SHOW DATABASES detected" },
+      { pattern: /\bDESCRIBE\s+\w+\b/i, message: "DESCRIBE command detected" },
+      { pattern: /\bDESC\s+\w+\b/i, message: "DESC command detected" }
+    ];
+    for (const { pattern, message } of patterns) {
+      if (pattern.test(sql)) {
+        return {
+          ruleId: this.ruleId,
+          message,
+          severity: this.severity
+        };
+      }
+    }
+    return null;
+  }
+};
+var ALL_RULES = [
+  systemCommandRule,
+  fileAccessRule,
+  dynamicSqlRule,
+  privilegeEscalationRule,
+  storedProcedureRule,
+  dangerousFunctionsRule,
+  hexEncodingRule,
+  charFunctionRule,
+  stringConcatRule,
+  unicodeObfuscationRule,
+  transactionAbuseRule,
+  metadataAccessRule,
+  schemaCommandRule
+];
+function runSecurityRules(sql, ast, config) {
+  for (const rule of ALL_RULES) {
+    if (!config.shouldRunRule(rule.ruleId, rule.severity)) {
+      continue;
+    }
+    const violation = rule.check(sql, ast);
+    if (violation && config.shouldFail(violation.severity)) {
+      return ValidationResult.unsafe(violation.message);
+    }
+  }
+  return ValidationResult.safe();
+}
+
+// src/validator.ts
+var READ_ONLY_ALLOWED = /* @__PURE__ */ new Set(["SELECT"]);
+var WRITE_SAFE_ALLOWED = /* @__PURE__ */ new Set(["SELECT", "INSERT", "UPDATE"]);
+var WRITE_SAFE_BLOCKED = /* @__PURE__ */ new Set([
+  "DELETE",
+  "DROP",
+  "TRUNCATE",
+  "ALTER",
+  "CREATE",
+  "GRANT",
+  "REVOKE"
+]);
+var Validator = class {
+  mode;
+  allowedTables;
+  allowedStatements;
+  blockedStatements;
+  dialect;
+  securityConfig;
+  parser;
+  constructor(options = {}) {
+    this.mode = options.mode ?? "read_only";
+    this.dialect = options.dialect ?? "postgresql";
+    this.parser = new import_node_sql_parser.Parser();
+    if (options.allowedTables) {
+      this.allowedTables = new Set(options.allowedTables.map((t) => t.toLowerCase()));
+    } else {
+      this.allowedTables = null;
+    }
+    if (options.securityConfig === false) {
+      this.securityConfig = null;
+    } else if (options.securityConfig === true || options.securityConfig === void 0) {
+      this.securityConfig = new SecurityConfig();
+    } else if (options.securityConfig instanceof SecurityConfig) {
+      this.securityConfig = options.securityConfig;
+    } else {
+      this.securityConfig = new SecurityConfig(options.securityConfig);
+    }
+    this.allowedStatements = this.initAllowedStatements(options);
+    this.blockedStatements = this.initBlockedStatements(options);
+  }
+  initAllowedStatements(options) {
+    switch (this.mode) {
+      case "read_only":
+        return READ_ONLY_ALLOWED;
+      case "write_safe":
+        return WRITE_SAFE_ALLOWED;
+      case "custom":
+        if (options.allowedStatements) {
+          return new Set(options.allowedStatements.map((s) => s.toUpperCase()));
+        }
+        return null;
+      default:
+        return READ_ONLY_ALLOWED;
+    }
+  }
+  initBlockedStatements(options) {
+    switch (this.mode) {
+      case "read_only":
+        return null;
+      // read_only uses allowlist only
+      case "write_safe":
+        return WRITE_SAFE_BLOCKED;
+      case "custom":
+        if (options.blockedStatements) {
+          return new Set(options.blockedStatements.map((s) => s.toUpperCase()));
+        }
+        return null;
+      default:
+        return null;
+    }
+  }
+  /**
+   * Validate a SQL query.
+   */
+  validate(sql) {
+    if (!sql || !sql.trim()) {
+      return ValidationResult.unsafe("Query is empty or contains only whitespace");
+    }
+    try {
+      const ast = this.parser.astify(sql, { database: this.mapDialect(this.dialect) });
+      const statements = Array.isArray(ast) ? ast : [ast];
+      if (statements.length === 0) {
+        return ValidationResult.unsafe("No valid SQL statements found");
+      }
+      for (const stmt of statements) {
+        const typeResult = this.checkStatementType(stmt);
+        if (!typeResult.isSafe) return typeResult;
+        const tableResult = this.checkTables(stmt, sql);
+        if (!tableResult.isSafe) return tableResult;
+      }
+      if (this.securityConfig) {
+        const securityResult = runSecurityRules(sql, ast, this.securityConfig);
+        if (!securityResult.isSafe) return securityResult;
+      }
+      const firstStmt = statements[0] ?? null;
+      return ValidationResult.safe({
+        statementType: this.getStatementType(firstStmt),
+        tables: this.extractAllTables(statements)
+      });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return ValidationResult.unsafe(`SQL parse error: ${message}`);
+    }
+  }
+  mapDialect(dialect) {
+    const dialectMap = {
+      postgres: "postgresql",
+      postgresql: "postgresql",
+      mysql: "mysql",
+      sqlite: "sqlite",
+      snowflake: "snowflake",
+      bigquery: "bigquery",
+      redshift: "redshift",
+      hive: "hive",
+      spark: "spark",
+      trino: "trino",
+      presto: "trino",
+      flinksql: "flinksql",
+      transactsql: "transactsql",
+      mssql: "transactsql",
+      sqlserver: "transactsql"
+    };
+    return dialectMap[dialect.toLowerCase()] ?? "postgresql";
+  }
+  getStatementType(stmt) {
+    if (!stmt) return "UNKNOWN";
+    return stmt.type?.toUpperCase() ?? "UNKNOWN";
+  }
+  checkStatementType(stmt) {
+    const stmtType = this.getStatementType(stmt);
+    if (this.blockedStatements?.has(stmtType)) {
+      return ValidationResult.unsafe(
+        `Statement type '${stmtType}' is blocked in ${this.mode} mode`
+      );
+    }
+    if (this.allowedStatements && !this.allowedStatements.has(stmtType)) {
+      return ValidationResult.unsafe(
+        `Statement type '${stmtType}' is not allowed in ${this.mode} mode`
+      );
+    }
+    return ValidationResult.safe();
+  }
+  checkTables(stmt, _sql) {
+    if (!this.allowedTables) return ValidationResult.safe();
+    const tables = this.extractTables(stmt);
+    for (const table of tables) {
+      const tableLower = table.toLowerCase();
+      if (!this.allowedTables.has(tableLower)) {
+        return ValidationResult.unsafe(
+          `Table '${table}' is not in allowed tables list`
+        );
+      }
+    }
+    return ValidationResult.safe();
+  }
+  extractTables(stmt) {
+    const tables = [];
+    this.walkAst(stmt, (node) => {
+      if (node && typeof node === "object") {
+        if (node.table && typeof node.table === "string") {
+          tables.push(node.table);
+        }
+        if (Array.isArray(node.from)) {
+          for (const item of node.from) {
+            if (item?.table) tables.push(item.table);
+          }
+        }
+      }
+    });
+    return [...new Set(tables)];
+  }
+  extractAllTables(statements) {
+    const allTables = [];
+    for (const stmt of statements) {
+      allTables.push(...this.extractTables(stmt));
+    }
+    return [...new Set(allTables)];
+  }
+  walkAst(node, callback) {
+    if (!node || typeof node !== "object") return;
+    callback(node);
+    if (Array.isArray(node)) {
+      for (const item of node) {
+        this.walkAst(item, callback);
+      }
+    } else {
+      for (const key of Object.keys(node)) {
+        this.walkAst(node[key], callback);
+      }
+    }
+  }
+};
+
+// src/index.ts
+var defaultValidator = new Validator({ mode: "read_only" });
+function validate(sql, options) {
+  const isDefault = !options || (options.mode === "read_only" || options.mode === void 0) && !options.allowedTables && !options.dialect && (options.security === true || options.security === void 0);
+  if (isDefault) {
+    return defaultValidator.validate(sql);
+  }
+  const validatorOptions = {
+    mode: options?.mode ?? "read_only",
+    allowedTables: options?.allowedTables,
+    dialect: options?.dialect,
+    securityConfig: options?.security
+  };
+  const validator = new Validator(validatorOptions);
+  return validator.validate(sql);
+}
+function isSafe(sql, options) {
+  return validate(sql, options).isSafe;
+}
+var index_default = {
+  validate,
+  isSafe,
+  Validator
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  RuleSeverity,
+  SecurityConfig,
+  ValidationResult,
+  Validator,
+  isSafe,
+  validate
+});