rds_ssm_connect 1.7.17 → 1.8.1

package/configLoader.js

@@ -50,8 +50,10 @@ const REQUIRED_FIELDS = [
 ]
 
 const VALID_RDS_TYPES = ['cluster', 'instance']
+const VALID_ENGINES = ['postgres', 'mysql']
 const REGION_PATTERN = /^[a-z]{2}(-[a-z]+-\d+)$/
 const PORT_PATTERN = /^\d+$/
+const SHELL_SAFE_PATTERN = /^[a-zA-Z0-9._!/-]+$/
 
 export function validateProjectConfig(config) {
   const errors = []
@@ -66,6 +68,16 @@ export function validateProjectConfig(config) {
     errors.push(`rdsType must be one of: ${VALID_RDS_TYPES.join(', ')}`)
   }
 
+  if (config.engine !== undefined && config.engine !== null && !VALID_ENGINES.includes(config.engine)) {
+    errors.push(`engine must be one of: ${VALID_ENGINES.join(', ')}`)
+  }
+
+  for (const field of ['secretPrefix', 'rdsPattern', 'database']) {
+    if (config[field] && !SHELL_SAFE_PATTERN.test(config[field])) {
+      errors.push(`${field} contains invalid characters (only alphanumeric, dots, underscores, hyphens, slashes, and ! allowed)`)
+    }
+  }
+
   if (config.region && !REGION_PATTERN.test(config.region)) {
     errors.push(`Invalid region format: ${config.region}`)
   }

package/connect.js

@@ -14,7 +14,7 @@ import {
 } from './configLoader.js'
 
 // Package info for version checking
-const packageJson = { name: 'rds_ssm_connect', version: '1.7.17' }
+const packageJson = { name: 'rds_ssm_connect', version: '1.8.1' }
 
 const execAsync = promisify(exec)
 
@@ -422,6 +422,15 @@ async function _startPortForwarding(
   )
 }
 
+// Validation patterns for security
+const PROFILE_SAFE_PATTERN = /^[a-zA-Z0-9._-]+$/
+const INSTANCE_ID_PATTERN = /^i-[a-f0-9]{8,17}$/
+const HOSTNAME_PATTERN = /^[a-zA-Z0-9.-]+$/
+
+function getDefaultPortForEngine(projectConfig) {
+  return projectConfig.engine === 'mysql' ? '3306' : '5432'
+}
+
 async function getRdsEndpoint(ENV, projectConfig) {
   const { region, rdsType, rdsPattern } = projectConfig
 
@@ -438,13 +447,14 @@ async function getRdsEndpoint(ENV, projectConfig) {
 
 async function getRdsPort(ENV, projectConfig) {
   const { region, rdsType, rdsPattern } = projectConfig
+  const fallbackPort = getDefaultPortForEngine(projectConfig)
 
   if (rdsType === 'cluster') {
     const portCommand = `aws-vault exec ${ENV} -- aws rds describe-db-clusters --region ${region} --query "DBClusters[?Status=='available' && ends_with(DBClusterIdentifier, '${rdsPattern}')].Port | [0]" --output text`
-    return (await runCommand(portCommand)) || '5432'
+    return (await runCommand(portCommand)) || fallbackPort
   } else {
     const portCommand = `aws-vault exec ${ENV} -- aws rds describe-db-instances --region ${region} --query "DBInstances[?DBInstanceStatus=='available' && contains(DBInstanceIdentifier, '${rdsPattern}')].Endpoint.Port | [0]" --output text`
-    return (await runCommand(portCommand)) || '5432'
+    return (await runCommand(portCommand)) || fallbackPort
   }
 }
 
@@ -495,12 +505,12 @@ function getLocalPort(ENV, projectConfig) {
 async function getConnectionCredentials(ENV, projectConfig) {
   const { region, secretPrefix, database } = projectConfig
 
-  const secretsListCommand = `aws-vault exec ${ENV} -- aws secretsmanager list-secrets --region ${region} --query "SecretList[?starts_with(Name, '${secretPrefix}')].Name | [0]" --output text`
+  const secretsListCommand = `aws-vault exec ${ENV} -- aws secretsmanager list-secrets --region ${region} --query "SecretList[?contains(Name, '${secretPrefix}')].Name | [0]" --output text`
   const SECRET_NAME = await runCommand(secretsListCommand)
 
   if (!SECRET_NAME || SECRET_NAME === 'None') {
     throw new Error(
-      `No secret found with name starting with '${secretPrefix}'.`,
+      `No secret found with name containing '${secretPrefix}'.`,
     )
   }
 
@@ -587,6 +597,10 @@ async function getProfilesForProjectKey(projectKey) {
 // Includes keepalive (prevents SSM idle timeout) and auto-reconnect
 // (transparently reconnects on the same port if session drops unexpectedly).
 async function connect(projectKey, profile, options = {}) {
+  if (!PROFILE_SAFE_PATTERN.test(profile)) {
+    throw new Error(`Invalid profile name: ${profile}`)
+  }
+
   const PROJECT_CONFIGS = await loadProjectConfigs()
   const projectConfig = PROJECT_CONFIGS[projectKey]
   if (!projectConfig) {
@@ -626,6 +640,10 @@ async function connect(projectKey, profile, options = {}) {
   emit('status', { message: 'Finding bastion instance...' })
   let currentInstanceId = await findBastionInstance(profile, region)
 
+  if (!INSTANCE_ID_PATTERN.test(currentInstanceId)) {
+    throw new Error(`Invalid instance ID format: ${currentInstanceId}`)
+  }
+
   emit('status', { message: 'Getting RDS endpoint...' })
   let currentRdsEndpoint = await getRdsEndpoint(profile, projectConfig)
 
@@ -633,6 +651,10 @@ async function connect(projectKey, profile, options = {}) {
     throw new Error('Failed to find the RDS endpoint.')
   }
 
+  if (!HOSTNAME_PATTERN.test(currentRdsEndpoint)) {
+    throw new Error(`Invalid RDS endpoint format: ${currentRdsEndpoint}`)
+  }
+
   emit('status', { message: 'Getting RDS port...' })
   const rdsPort = await getRdsPort(profile, projectConfig)
 
@@ -812,6 +834,12 @@ async function main() {
           message: 'RDS type:',
           choices: ['cluster', 'instance'],
         },
+        {
+          type: 'select',
+          name: 'engine',
+          message: 'Database engine:',
+          choices: ['postgres', 'mysql'],
+        },
         {
           type: 'input',
           name: 'rdsPattern',
@@ -827,7 +855,7 @@ async function main() {
           type: 'input',
           name: 'defaultPort',
           message: 'Default local port:',
-          default: '5432',
+          default: (ctx) => ctx.engine === 'mysql' ? '3306' : '5432',
         },
       ])
 
@@ -855,6 +883,7 @@ async function main() {
         database: answers.database,
         secretPrefix: answers.secretPrefix,
         rdsType: answers.rdsType,
+        engine: answers.engine,
         rdsPattern: answers.rdsPattern,
         profileFilter: answers.profileFilter || null,
         envPortMapping: envPortMappingInput,
@@ -940,6 +969,11 @@ async function main() {
 
     const ENV = envAnswer.ENV
 
+    if (!PROFILE_SAFE_PATTERN.test(ENV)) {
+      console.error('❌ Invalid profile name:', ENV)
+      return
+    }
+
     // Determine local port number
     const allEnvSuffixes = Object.keys(envPortMapping).sort(
       (a, b) => b.length - a.length,
@@ -951,7 +985,7 @@ async function main() {
 
     // Get RDS credentials from Secrets Manager
     console.log('\n⏳ Getting credentials...')
-    const secretsListCommand = `aws-vault exec ${ENV} -- aws secretsmanager list-secrets --region ${region} --query "SecretList[?starts_with(Name, '${secretPrefix}')].Name | [0]" --output text`
+    const secretsListCommand = `aws-vault exec ${ENV} -- aws secretsmanager list-secrets --region ${region} --query "SecretList[?contains(Name, '${secretPrefix}')].Name | [0]" --output text`
     const SECRET_NAME = await runCommand(secretsListCommand)
 
     if (!SECRET_NAME || SECRET_NAME === 'None') {
@@ -988,6 +1022,11 @@ async function main() {
       return
     }
 
+    if (!INSTANCE_ID_PATTERN.test(INSTANCE_ID)) {
+      console.error('❌ Invalid instance ID format:', INSTANCE_ID)
+      return
+    }
+
     // Get RDS endpoint
     console.log('⏳ Getting RDS endpoint...')
     const RDS_ENDPOINT = await getRdsEndpoint(ENV, projectConfig)
@@ -997,6 +1036,11 @@ async function main() {
       return
     }
 
+    if (!HOSTNAME_PATTERN.test(RDS_ENDPOINT)) {
+      console.error('❌ Invalid RDS endpoint format:', RDS_ENDPOINT)
+      return
+    }
+
     // Get RDS port (remote port)
     const rdsPort = await getRdsPort(ENV, projectConfig)
 
@@ -1045,6 +1089,7 @@ export {
   findBastionInstance,
   getRdsEndpoint,
   getRdsPort,
+  getDefaultPortForEngine,
   getLocalPort,
   connect,
   ipcEmitter,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rds_ssm_connect",
-  "version": "1.7.17",
+  "version": "1.8.1",
   "type": "module",
   "repository": {
     "type": "git",

package/src/lib/Settings.svelte

@@ -26,6 +26,7 @@ let projectRegion = $state('us-east-1')
 let projectDatabase = $state('')
 let projectSecretPrefix = $state('')
 let projectRdsType = $state('cluster')
+let projectEngine = $state('postgres')
 let projectRdsPattern = $state('')
 let projectProfileFilter = $state('')
 let projectDefaultPort = $state('5432')
@@ -162,6 +163,11 @@ async function saveRawConfig() {
 
 // ---- Project config functions ----
 
+function handleEngineChange(e) {
+  projectEngine = e.target.value
+  projectDefaultPort = projectEngine === 'mysql' ? '3306' : '5432'
+}
+
 function openAddProject() {
   editingProject = { isNew: true }
   projectKey = ''
@@ -170,6 +176,7 @@ function openAddProject() {
   projectDatabase = ''
   projectSecretPrefix = 'rds!cluster'
   projectRdsType = 'cluster'
+  projectEngine = 'postgres'
   projectRdsPattern = ''
   projectProfileFilter = ''
   projectDefaultPort = '5432'
@@ -184,6 +191,7 @@ function openEditProject(key, config) {
   projectDatabase = config.database
   projectSecretPrefix = config.secretPrefix
   projectRdsType = config.rdsType
+  projectEngine = config.engine || 'postgres'
   projectRdsPattern = config.rdsPattern
   projectProfileFilter = config.profileFilter || ''
   projectDefaultPort = config.defaultPort
@@ -226,6 +234,7 @@ async function saveProject() {
     database: projectDatabase.trim(),
     secretPrefix: projectSecretPrefix.trim(),
     rdsType: projectRdsType,
+    engine: projectEngine,
     rdsPattern: projectRdsPattern.trim(),
     profileFilter: projectProfileFilter.trim() || null,
     envPortMapping,
@@ -393,6 +402,7 @@ onDestroy(() => {
                     <div class="profile-details">
                       <span class="detail">{config.region}</span>
                       <span class="detail">{config.rdsType}</span>
+                      <span class="detail">{config.engine || 'postgres'}</span>
                       <span class="detail">{config.database}</span>
                       <span class="detail">{Object.keys(config.envPortMapping || {}).length} port mappings</span>
                     </div>
@@ -578,11 +588,19 @@ onDestroy(() => {
               </select>
             </div>
             <div class="form-group">
-              <label for="project-rds-pattern">RDS Pattern</label>
-              <input id="project-rds-pattern" type="text" bind:value={projectRdsPattern} placeholder="-rds-aurora" />
+              <label for="project-engine">Engine</label>
+              <select id="project-engine" value={projectEngine} onchange={handleEngineChange}>
+                <option value="postgres">PostgreSQL</option>
+                <option value="mysql">MySQL</option>
+              </select>
             </div>
           </div>
 
+          <div class="form-group">
+            <label for="project-rds-pattern">RDS Pattern</label>
+            <input id="project-rds-pattern" type="text" bind:value={projectRdsPattern} placeholder="-rds-aurora" />
+          </div>
+
           <div class="form-row">
             <div class="form-group">
               <label for="project-profile-filter">Profile Filter</label>

package/src-tauri/Cargo.lock

@@ -3057,7 +3057,7 @@ checksum = "20675572f6f24e9e76ef639bc5552774ed45f1c30e2951e1e99c59888861c539"
 
 [[package]]
 name = "rds-ssm-connect"
-version = "1.7.17"
+version = "1.8.0"
 dependencies = [
  "reqwest 0.12.28",
  "semver",

package/src-tauri/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "rds-ssm-connect"
-version = "1.7.17"
+version = "1.8.1"
 description = "Secure RDS connections through AWS SSM"
 authors = ["Iaroslav Pyrogov"]
 edition = "2024"

package/src-tauri/src/lib.rs

@@ -431,6 +431,8 @@ pub struct ProjectConfig {
     pub secret_prefix: String,
     #[serde(rename = "rdsType")]
     pub rds_type: String,
+    #[serde(default)]
+    pub engine: Option<String>,
     #[serde(rename = "rdsPattern")]
     pub rds_pattern: String,
     #[serde(rename = "profileFilter")]

package/src-tauri/tauri.conf.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://schema.tauri.app/config/2",
   "productName": "RDS SSM Connect",
-  "version": "1.7.17",
+  "version": "1.8.1",
   "identifier": "com.rds-ssm-connect.desktop",
   "build": {
     "beforeDevCommand": "npm run dev:vite",

package/test/configLoader.test.js

@@ -146,5 +146,57 @@ describe('configLoader', () => {
       assert.equal(result.valid, false)
       assert.ok(result.errors.some((e) => e.includes('Port for "dev"')))
     })
+
+    // Engine validation tests
+    it('should accept config with engine=postgres', () => {
+      const result = validateProjectConfig({ ...validConfig, engine: 'postgres' })
+      assert.equal(result.valid, true)
+    })
+
+    it('should accept config with engine=mysql', () => {
+      const result = validateProjectConfig({ ...validConfig, engine: 'mysql' })
+      assert.equal(result.valid, true)
+    })
+
+    it('should accept config without engine field (backward compat)', () => {
+      const { engine: _, ...configWithoutEngine } = validConfig
+      const result = validateProjectConfig(configWithoutEngine)
+      assert.equal(result.valid, true)
+    })
+
+    it('should reject invalid engine value', () => {
+      const result = validateProjectConfig({ ...validConfig, engine: 'sqlite' })
+      assert.equal(result.valid, false)
+      assert.ok(result.errors.some((e) => e.includes('engine')))
+    })
+
+    // Shell-safe validation tests
+    it('should reject secretPrefix with shell metacharacters', () => {
+      const result = validateProjectConfig({ ...validConfig, secretPrefix: 'rds;rm -rf /' })
+      assert.equal(result.valid, false)
+      assert.ok(result.errors.some((e) => e.includes('secretPrefix')))
+    })
+
+    it('should reject rdsPattern with shell metacharacters', () => {
+      const result = validateProjectConfig({ ...validConfig, rdsPattern: '$(whoami)' })
+      assert.equal(result.valid, false)
+      assert.ok(result.errors.some((e) => e.includes('rdsPattern')))
+    })
+
+    it('should reject database with shell metacharacters', () => {
+      const result = validateProjectConfig({ ...validConfig, database: 'db&echo' })
+      assert.equal(result.valid, false)
+      assert.ok(result.errors.some((e) => e.includes('database')))
+    })
+
+    it('should accept safe special characters in fields', () => {
+      const result = validateProjectConfig({
+        ...validConfig,
+        secretPrefix: 'rds!cluster-my/prefix',
+        rdsPattern: 'my-rds_pattern.v2',
+        database: 'my_db.prod',
+      })
+      assert.equal(result.valid, true)
+    })
   })
 })