spindb 0.8.2 → 0.9.1

package/core/error-handler.ts

@@ -56,6 +56,7 @@ export const ErrorCodes = {
   CONTAINER_CREATE_FAILED: 'CONTAINER_CREATE_FAILED',
   INIT_FAILED: 'INIT_FAILED',
   DATABASE_CREATE_FAILED: 'DATABASE_CREATE_FAILED',
+  INVALID_DATABASE_NAME: 'INVALID_DATABASE_NAME',
 
   // Dependency errors
   DEPENDENCY_MISSING: 'DEPENDENCY_MISSING',
@@ -308,3 +309,33 @@ export function createDependencyMissingError(
     { toolName, engine },
   )
 }
+
+/**
+ * Validate a database name to prevent SQL injection.
+ * Database names must start with a letter and contain only
+ * alphanumeric characters and underscores.
+ *
+ * Note: Hyphens are excluded because they require quoted identifiers
+ * in SQL, which is error-prone for users.
+ */
+export function isValidDatabaseName(name: string): boolean {
+  // Must start with a letter to be valid in all database systems
+  // Hyphens excluded to avoid requiring quoted identifiers in SQL
+  return /^[a-zA-Z][a-zA-Z0-9_]*$/.test(name)
+}
+
+/**
+ * Assert that a database name is valid, throwing SpinDBError if not.
+ * Use this at the entry points where database names are accepted.
+ */
+export function assertValidDatabaseName(name: string): void {
+  if (!isValidDatabaseName(name)) {
+    throw new SpinDBError(
+      ErrorCodes.INVALID_DATABASE_NAME,
+      `Invalid database name: "${name}"`,
+      'error',
+      'Database names must start with a letter and contain only letters, numbers, and underscores',
+      { databaseName: name },
+    )
+  }
+}

package/core/port-manager.ts

@@ -27,6 +27,8 @@ export class PortManager {
       const server = net.createServer()
 
       server.once('error', (err: NodeJS.ErrnoException) => {
+        // Always close the server to prevent resource leaks
+        server.close()
         if (err.code === 'EADDRINUSE') {
           resolve(false)
         } else {

package/core/process-manager.ts

@@ -1,7 +1,7 @@
 import { exec, spawn } from 'child_process'
 import { promisify } from 'util'
 import { existsSync } from 'fs'
-import { readFile } from 'fs/promises'
+import { readFile, rm } from 'fs/promises'
 import { paths } from '../config/paths'
 import { logDebug } from './error-handler'
 import type { ProcessResult, StatusResult } from '../types'
@@ -42,6 +42,9 @@ export class ProcessManager {
   ): Promise<ProcessResult> {
     const { superuser = 'postgres' } = options
 
+    // Track if directory existed before initdb (to know if we should clean up)
+    const dirExistedBefore = existsSync(dataDir)
+
     const args = [
       '-D',
       dataDir,
@@ -52,6 +55,21 @@ export class ProcessManager {
       '--no-locale',
     ]
 
+    // Helper to clean up data directory on failure
+    const cleanupOnFailure = async () => {
+      // Only clean up if initdb created the directory (it didn't exist before)
+      if (!dirExistedBefore && existsSync(dataDir)) {
+        try {
+          await rm(dataDir, { recursive: true, force: true })
+          logDebug(`Cleaned up data directory after initdb failure: ${dataDir}`)
+        } catch (cleanupErr) {
+          logDebug(
+            `Failed to clean up data directory: ${cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr)}`,
+          )
+        }
+      }
+    }
+
     return new Promise((resolve, reject) => {
       const proc = spawn(initdbPath, args, {
         stdio: ['ignore', 'pipe', 'pipe'],
@@ -67,15 +85,19 @@ export class ProcessManager {
         stderr += data.toString()
       })
 
-      proc.on('close', (code) => {
+      proc.on('close', async (code) => {
         if (code === 0) {
           resolve({ stdout, stderr })
         } else {
+          await cleanupOnFailure()
           reject(new Error(`initdb failed with code ${code}: ${stderr}`))
         }
       })
 
-      proc.on('error', reject)
+      proc.on('error', async (err) => {
+        await cleanupOnFailure()
+        reject(err)
+      })
     })
   }
 

package/engines/index.ts

@@ -1,5 +1,6 @@
 import { postgresqlEngine } from './postgresql'
 import { mysqlEngine } from './mysql'
+import { sqliteEngine } from './sqlite'
 import type { BaseEngine } from './base-engine'
 import type { EngineInfo } from '../types'
 
@@ -14,6 +15,9 @@ export const engines: Record<string, BaseEngine> = {
   // MySQL and aliases
   mysql: mysqlEngine,
   mariadb: mysqlEngine, // MariaDB is MySQL-compatible
+  // SQLite and aliases
+  sqlite: sqliteEngine,
+  lite: sqliteEngine,
 }
 
 /**

package/engines/mysql/backup.ts

@@ -56,6 +56,20 @@ async function createSqlBackup(
   outputPath: string,
 ): Promise<BackupResult> {
   return new Promise((resolve, reject) => {
+    let settled = false
+    const safeResolve = (value: BackupResult) => {
+      if (!settled) {
+        settled = true
+        resolve(value)
+      }
+    }
+    const safeReject = (err: Error) => {
+      if (!settled) {
+        settled = true
+        reject(err)
+      }
+    }
+
     const args = [
       '-h',
       '127.0.0.1',
@@ -79,20 +93,20 @@ async function createSqlBackup(
     })
 
     proc.on('error', (err: NodeJS.ErrnoException) => {
-      reject(err)
+      safeReject(err)
     })
 
     proc.on('close', async (code) => {
       if (code === 0) {
         const stats = await stat(outputPath)
-        resolve({
+        safeResolve({
           path: outputPath,
           format: 'sql',
           size: stats.size,
         })
       } else {
         const errorMessage = stderr || `mysqldump exited with code ${code}`
-        reject(new Error(errorMessage))
+        safeReject(new Error(errorMessage))
       }
     })
   })
@@ -108,52 +122,55 @@ async function createCompressedBackup(
   database: string,
   outputPath: string,
 ): Promise<BackupResult> {
-  return new Promise((resolve, reject) => {
-    const args = [
-      '-h',
-      '127.0.0.1',
-      '-P',
-      String(port),
-      '-u',
-      engineDef.superuser,
-      database,
-    ]
-
-    const proc = spawn(mysqldump, args, {
-      stdio: ['pipe', 'pipe', 'pipe'],
-    })
+  const args = [
+    '-h',
+    '127.0.0.1',
+    '-P',
+    String(port),
+    '-u',
+    engineDef.superuser,
+    database,
+  ]
+
+  const proc = spawn(mysqldump, args, {
+    stdio: ['pipe', 'pipe', 'pipe'],
+  })
 
-    const gzip = createGzip()
-    const output = createWriteStream(outputPath)
+  const gzip = createGzip()
+  const output = createWriteStream(outputPath)
 
-    let stderr = ''
+  let stderr = ''
 
-    proc.stderr?.on('data', (data: Buffer) => {
-      stderr += data.toString()
-    })
+  proc.stderr?.on('data', (data: Buffer) => {
+    stderr += data.toString()
+  })
 
-    // Pipe mysqldump stdout -> gzip -> file
-    pipeline(proc.stdout!, gzip, output)
-      .then(async () => {
-        const stats = await stat(outputPath)
-        resolve({
-          path: outputPath,
-          format: 'compressed',
-          size: stats.size,
-        })
-      })
-      .catch(reject)
+  // Create promise for pipeline completion
+  const pipelinePromise = pipeline(proc.stdout!, gzip, output)
 
+  // Create promise for process exit
+  const exitPromise = new Promise<void>((resolve, reject) => {
     proc.on('error', (err: NodeJS.ErrnoException) => {
       reject(err)
     })
 
     proc.on('close', (code) => {
-      if (code !== 0) {
+      if (code === 0) {
+        resolve()
+      } else {
         const errorMessage = stderr || `mysqldump exited with code ${code}`
         reject(new Error(errorMessage))
       }
-      // If code is 0, the pipeline promise will resolve
     })
   })
+
+  // Wait for both pipeline AND process exit to succeed
+  await Promise.all([pipelinePromise, exitPromise])
+
+  const stats = await stat(outputPath)
+  return {
+    path: outputPath,
+    format: 'compressed',
+    size: stats.size,
+  }
 }

package/engines/mysql/index.ts

@@ -6,7 +6,7 @@
 import { spawn, exec } from 'child_process'
 import { promisify } from 'util'
 import { existsSync, createReadStream } from 'fs'
-import { mkdir, writeFile, readFile, unlink } from 'fs/promises'
+import { mkdir, writeFile, readFile, unlink, rm } from 'fs/promises'
 import { join } from 'path'
 import { BaseEngine } from '../base-engine'
 import { paths } from '../../config/paths'
@@ -16,6 +16,7 @@ import {
   logWarning,
   ErrorCodes,
   SpinDBError,
+  assertValidDatabaseName,
 } from '../../core/error-handler'
 import {
   getMysqldPath,
@@ -135,9 +136,27 @@ export class MySQLEngine extends BaseEngine {
       engine: ENGINE,
     })
 
+    // Track if we created the directory (for cleanup on failure)
+    let createdDataDir = false
+
     // Create data directory if it doesn't exist
     if (!existsSync(dataDir)) {
       await mkdir(dataDir, { recursive: true })
+      createdDataDir = true
+    }
+
+    // Helper to clean up on failure
+    const cleanupOnFailure = async () => {
+      if (createdDataDir) {
+        try {
+          await rm(dataDir, { recursive: true, force: true })
+          logDebug(`Cleaned up data directory after init failure: ${dataDir}`)
+        } catch (cleanupErr) {
+          logDebug(
+            `Failed to clean up data directory: ${cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr)}`,
+          )
+        }
+      }
     }
 
     // Check if we're using MariaDB or MySQL
@@ -148,6 +167,7 @@ export class MySQLEngine extends BaseEngine {
       const installDb =
         (await getMariadbInstallDbPath()) || (await getMysqlInstallDbPath())
       if (!installDb) {
+        await cleanupOnFailure()
         throw new Error(
           'MariaDB detected but mysql_install_db not found.\n' +
             'Install MariaDB server package which includes the initialization script.',
@@ -177,10 +197,11 @@ export class MySQLEngine extends BaseEngine {
           stderr += data.toString()
         })
 
-        proc.on('close', (code) => {
+        proc.on('close', async (code) => {
           if (code === 0) {
             resolve(dataDir)
           } else {
+            await cleanupOnFailure()
             reject(
               new Error(
                 `MariaDB initialization failed with code ${code}: ${stderr || stdout}`,
@@ -189,12 +210,16 @@ export class MySQLEngine extends BaseEngine {
           }
         })
 
-        proc.on('error', reject)
+        proc.on('error', async (err) => {
+          await cleanupOnFailure()
+          reject(err)
+        })
       })
     } else {
       // MySQL uses mysqld --initialize-insecure
       const mysqld = await getMysqldPath()
       if (!mysqld) {
+        await cleanupOnFailure()
         throw new Error(getInstallInstructions())
       }
 
@@ -221,10 +246,11 @@ export class MySQLEngine extends BaseEngine {
           stderr += data.toString()
         })
 
-        proc.on('close', (code) => {
+        proc.on('close', async (code) => {
           if (code === 0) {
             resolve(dataDir)
           } else {
+            await cleanupOnFailure()
             reject(
               new Error(
                 `MySQL initialization failed with code ${code}: ${stderr || stdout}`,
@@ -233,7 +259,10 @@ export class MySQLEngine extends BaseEngine {
           }
         })
 
-        proc.on('error', reject)
+        proc.on('error', async (err) => {
+          await cleanupOnFailure()
+          reject(err)
+        })
       })
     }
   }
@@ -313,6 +342,14 @@ export class MySQLEngine extends BaseEngine {
                 connectionString: this.getConnectionString(container),
               })
               return
+            } else {
+              // mysqladmin not found - cannot verify MySQL is ready
+              reject(
+                new Error(
+                  'mysqladmin not found - cannot verify MySQL startup. Install MySQL client tools.',
+                ),
+              )
+              return
             }
           } catch {
             if (attempts < maxAttempts) {
@@ -687,6 +724,7 @@ export class MySQLEngine extends BaseEngine {
     container: ContainerConfig,
     database: string,
   ): Promise<void> {
+    assertValidDatabaseName(database)
     const { port } = container
 
     const mysql = await getMysqlClientPath()
@@ -720,6 +758,7 @@ export class MySQLEngine extends BaseEngine {
     container: ContainerConfig,
     database: string,
   ): Promise<void> {
+    assertValidDatabaseName(database)
     const { port } = container
 
     const mysql = await getMysqlClientPath()
@@ -748,6 +787,9 @@ export class MySQLEngine extends BaseEngine {
     const { port, database } = container
     const db = database || 'mysql'
 
+    // Validate database name to prevent SQL injection
+    assertValidDatabaseName(db)
+
     try {
       const mysql = await getMysqlClientPath()
       if (!mysql) return null
@@ -856,6 +898,7 @@ export class MySQLEngine extends BaseEngine {
   ): Promise<void> {
     const { port } = container
     const db = options.database || container.database || 'mysql'
+    assertValidDatabaseName(db)
 
     const mysql = await getMysqlClientPath()
     if (!mysql) {

package/engines/postgresql/index.ts

@@ -18,6 +18,7 @@ import {
 } from './binary-urls'
 import { detectBackupFormat, restoreBackup } from './restore'
 import { createBackup } from './backup'
+import { assertValidDatabaseName } from '../../core/error-handler'
 import type {
   ContainerConfig,
   ProgressCallback,
@@ -395,6 +396,7 @@ export class PostgreSQLEngine extends BaseEngine {
     container: ContainerConfig,
     database: string,
   ): Promise<void> {
+    assertValidDatabaseName(database)
     const { port } = container
     const psqlPath = await this.getPsqlPath()
 
@@ -418,6 +420,7 @@ export class PostgreSQLEngine extends BaseEngine {
     container: ContainerConfig,
     database: string,
   ): Promise<void> {
+    assertValidDatabaseName(database)
     const { port } = container
     const psqlPath = await this.getPsqlPath()
 
@@ -443,6 +446,9 @@ export class PostgreSQLEngine extends BaseEngine {
     const { port, database } = container
     const db = database || 'postgres'
 
+    // Validate database name to prevent SQL injection
+    assertValidDatabaseName(db)
+
     try {
       const psqlPath = await this.getPsqlPath()
       // Query pg_database_size for the specific database