npm - sql-render - Versions diffs - 0.1.0 - Mend

sql-render 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 bug3
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,199 @@
+# sql-render
+Type-safe `{{variable}}` templating for `.sql` files with built-in injection protection.
+- Zero runtime dependencies
+- Built-in SQL injection protection
+- Schema-based validation with type inference
+- Custom schema types for project-specific rules
+- Works with any SQL engine (Athena, Trino, PostgreSQL, MySQL, etc.)
+- Compatible with [sql-formatter](https://github.com/sql-formatter-org/sql-formatter)
+## Installation
+```bash
+npm install sql-render
+```
+## Quick Start
+Create a SQL file with `{{variable}}` placeholders:
+```sql
+-- queries/getEvents.sql
+SELECT event_id, event_name
+FROM {{tableName}}
+WHERE status = '{{status}}'
+  AND created_at >= '{{startDate}}'
+ORDER BY {{orderBy}}
+LIMIT {{limit}}
+```
+Define and use the query in TypeScript:
+```typescript
+import { defineQuery } from 'sql-render';
+const getEvents = defineQuery<{
+  tableName: string;
+  status: string;
+  startDate: string;
+  orderBy: string;
+  limit: number;
+}>('./queries/getEvents.sql');
+const { sql } = getEvents({
+  tableName: 'prod_events',
+  status: 'active',
+  startDate: '2024-01-01',
+  orderBy: 'created_at',
+  limit: 100,
+});
+```
+Result:
+```sql
+SELECT event_id, event_name
+FROM prod_events
+WHERE status = 'active'
+  AND created_at >= '2024-01-01'
+ORDER BY created_at
+LIMIT 100
+```
+## Schema Validation
+For stricter validation, define a schema instead of a generic type. Types are inferred automatically.
+```typescript
+import { defineQuery, schema } from 'sql-render';
+const getEvents = defineQuery('./queries/getEvents.sql', {
+  tableName: schema.identifier,
+  status: schema.enum('active', 'pending', 'done'),
+  startDate: schema.isoDate,
+  orderBy: schema.identifier,
+  limit: schema.positiveInt,
+});
+const { sql } = getEvents({
+  tableName: 'prod_events',
+  status: 'active',
+  startDate: '2024-01-01',
+  orderBy: 'created_at',
+  limit: 100,
+});
+```
+### Available Schema Types
+| Type | Format | Example |
+|------|--------|---------|
+| `schema.string` | Any string (with SQL injection check) | `'hello'` |
+| `schema.number` | Finite number | `42`, `3.14` |
+| `schema.boolean` | `true` / `false` | `true` |
+| `schema.isoDate` | `YYYY-MM-DD` | `'2026-04-01'` |
+| `schema.isoTimestamp` | ISO 8601 with timezone | `'2026-04-01T13:57:34.000Z'` |
+| `schema.identifier` | SQL identifier (up to `db.schema.table`) | `'public.users'` |
+| `schema.uuid` | RFC 4122 UUID | `'550e8400-e29b-41d4-a716-446655440000'` |
+| `schema.positiveInt` | Positive integer | `100` |
+| `schema.enum(...)` | Whitelist of allowed values | `schema.enum('asc', 'desc')` |
+| `schema.s3Path` | S3 URI | `'s3://bucket/path/'` |
+### Custom Schema Types
+Define your own type descriptors for project-specific validation:
+```typescript
+import { defineQuery, schema } from 'sql-render';
+const prodTable = {
+  validate: (val: unknown) => typeof val === 'string' && val.startsWith('prod_'),
+};
+const query = defineQuery('./query.sql', {
+  table: prodTable,
+  startDate: schema.isoDate,
+  limit: schema.positiveInt,
+});
+```
+A type descriptor is any object with a `validate(val: unknown) => boolean` method.
+## SQL Injection Protection
+`schema.string` and the generic `string` type check values against built-in patterns:
+| Pattern | Examples |
+|---------|----------|
+| Comments | `--`, `/*`, `*/` |
+| Statement separator | `;` |
+| DDL commands | `DROP`, `ALTER`, `TRUNCATE`, `CREATE` |
+| UNION injection | `UNION SELECT`, `UNION ALL SELECT` |
+| DML commands | `INSERT INTO`, `DELETE FROM`, `UPDATE ... SET` |
+| Execution | `EXEC`, `EXECUTE` |
+| Time-based | `SLEEP()`, `BENCHMARK()`, `WAITFOR DELAY` |
+| System procedures | `xp_*`, `sp_*` |
+| Privilege commands | `GRANT`, `REVOKE` |
+| File operations | `LOAD_FILE()`, `INTO OUTFILE`, `INTO DUMPFILE` |
+| Data loading | `LOAD DATA` |
+Patterns use word boundaries to avoid false positives (e.g., "backdrop" won't trigger `DROP`).
+Other schema types like `schema.identifier`, `schema.isoDate`, `schema.uuid` etc. are inherently safe due to their strict format validation.
+The pattern list is exported for reference:
+```typescript
+import { SQL_INJECTION_PATTERNS } from 'sql-render';
+```
+## Error Messages
+| Scenario | Error |
+|----------|-------|
+| File not found | `File not found: ./query.sql` |
+| Schema mismatch | `Schema missing definitions for template variables: [id]` |
+| Missing params | `Missing variables in params: [tableName, limit]` |
+| Extra params | `Extra variables not in template: [foo]` |
+| Schema validation | `Schema validation failed for 'status'` |
+| Type validation | `SQL injection pattern detected in 'status': ...` |
+| Null/undefined | `Validation failed for 'key': value cannot be null or undefined` |
+| Invalid descriptor | `Invalid schema descriptor for 'key': must have a validate(val) method` |
+## Security Model
+sql-render protects against SQL injection using a **denylist + escape** strategy, not parameterized queries (prepared statements). Values are validated and escaped before being interpolated directly into the SQL string.
+This is effective for engines that don't support parameterized queries (e.g., Athena, Trino DDL, ad-hoc SQL scripts). If your database driver supports parameterized queries, prefer using them as the primary defense and treat sql-render's protection as an additional layer.
+The built-in denylist does not guarantee 100% protection against all SQL injection vectors. For stricter control, define [custom schema types](#custom-schema-types) tailored to your project's specific validation needs.
+## sql-formatter Compatibility
+The `{{variable}}` syntax is fully compatible with [sql-formatter](https://github.com/sql-formatter-org/sql-formatter). A `paramTypes` custom regex is required so that `{{variables}}` containing SQL keywords (e.g. `{{limit}}`) are treated as parameters instead of being parsed as SQL.
+### VS Code
+Install the [SQL Formatter VSCode](https://marketplace.visualstudio.com/items?itemName=ReneSaarsoo.sql-formatter-vsc) extension, then copy [`.vscode/settings.json`](.vscode/settings.json) into your project to enable format-on-save with the recommended settings:
+```json
+{
+    "[sql]": {
+        "editor.defaultFormatter": "ReneSaarsoo.sql-formatter-vsc",
+        "editor.formatOnSave": true
+    },
+    "SQL-Formatter-VSCode.dialect": "trino",
+    "SQL-Formatter-VSCode.keywordCase": "upper",
+    "SQL-Formatter-VSCode.functionCase": "upper",
+    "SQL-Formatter-VSCode.dataTypeCase": "upper",
+    "SQL-Formatter-VSCode.paramTypes": {
+        "custom": [{ "regex": "\\{\\{[a-zA-Z_][a-zA-Z0-9_]*\\}\\}" }]
+    }
+}
+```
+## License
+[MIT](https://github.com/bug3/sql-render/blob/master/LICENSE)

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,239 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  SQL_INJECTION_PATTERNS: () => SQL_INJECTION_PATTERNS,
+  defineQuery: () => defineQuery,
+  schema: () => schema
+});
+module.exports = __toCommonJS(index_exports);
+// src/loader.ts
+var import_node_fs = __toESM(require("fs"));
+var import_node_path = __toESM(require("path"));
+var TOKEN_REGEX = /\{\{([a-zA-Z_][a-zA-Z0-9_]*)\}\}/g;
+function loadTemplate(filePath) {
+  const resolved = import_node_path.default.resolve(filePath);
+  if (!import_node_fs.default.existsSync(resolved)) {
+    throw new Error(`File not found: ${filePath}`);
+  }
+  const template = import_node_fs.default.readFileSync(resolved, "utf-8");
+  const seen = /* @__PURE__ */ new Set();
+  const tokens = [];
+  for (const match of template.matchAll(TOKEN_REGEX)) {
+    if (!seen.has(match[1])) {
+      seen.add(match[1]);
+      tokens.push(match[1]);
+    }
+  }
+  return { template, tokens };
+}
+// src/validator.ts
+var SQL_INJECTION_PATTERNS = [
+  { name: "inline comment", regex: /--/ },
+  { name: "block comment open", regex: /\/\*/ },
+  { name: "block comment close", regex: /\*\// },
+  { name: "statement separator", regex: /;/ },
+  { name: "DDL command", regex: /\b(DROP|ALTER|TRUNCATE|CREATE)\b/i },
+  { name: "UNION injection", regex: /\bUNION\s+(ALL\s+)?SELECT\b/i },
+  { name: "INSERT", regex: /\bINSERT\s+INTO\b/i },
+  { name: "DELETE", regex: /\bDELETE\s+FROM\b/i },
+  { name: "UPDATE", regex: /\bUPDATE\s+\S+\s+SET\b/i },
+  { name: "EXEC", regex: /\b(EXEC|EXECUTE)\b/i },
+  { name: "time-based injection", regex: /\b(SLEEP|BENCHMARK)\s*\(/i },
+  { name: "WAITFOR", regex: /\bWAITFOR\s+DELAY\b/i },
+  { name: "system procedure", regex: /\b(xp_|sp_)\w+/i },
+  { name: "GRANT/REVOKE", regex: /\b(GRANT|REVOKE)\b/i },
+  { name: "file operation", regex: /\b(LOAD_FILE|INTO\s+OUTFILE|INTO\s+DUMPFILE)\b/i },
+  { name: "LOAD DATA", regex: /\bLOAD\s+DATA\b/i }
+];
+function detectSqlInjection(key, value) {
+  for (const pattern of SQL_INJECTION_PATTERNS) {
+    if (pattern.regex.test(value)) {
+      throw new Error(
+        `SQL injection pattern detected in '${key}': value contains forbidden pattern (${pattern.name})`
+      );
+    }
+  }
+}
+function escapeValue(value) {
+  if (typeof value === "string") {
+    return value.replace(/'/g, "''");
+  }
+  return String(value);
+}
+function validateAndConvert(key, value) {
+  if (value === null || value === void 0) {
+    throw new Error(`Validation failed for '${key}': value cannot be null or undefined`);
+  }
+  switch (typeof value) {
+    case "number":
+      if (Number.isNaN(value) || !Number.isFinite(value)) {
+        throw new Error(`Validation failed for '${key}': expected a finite number`);
+      }
+      return String(value);
+    case "boolean":
+      return String(value);
+    case "string":
+      detectSqlInjection(key, value);
+      return escapeValue(value);
+    default:
+      throw new Error(
+        `Validation failed for '${key}': unsupported type '${typeof value}'`
+      );
+  }
+}
+// src/renderer.ts
+function render(template, values) {
+  let result = template;
+  for (const [key, value] of Object.entries(values)) {
+    const escaped = key.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const pattern = new RegExp(`\\{\\{${escaped}\\}\\}`, "g");
+    result = result.replace(pattern, value);
+  }
+  return result;
+}
+// src/schema.ts
+var ISO_DATE_REGEX = /^\d{4}-\d{2}-\d{2}$/;
+var ISO_TIMESTAMP_REGEX = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d{1,6})?(Z|[+-]\d{2}:\d{2})$/;
+var IDENTIFIER_REGEX = /^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*){0,2}$/;
+var UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+var S3_PATH_REGEX = /^s3:\/\/[a-z0-9][a-z0-9.-]{1,61}[a-z0-9](\/[a-zA-Z0-9._\-/=]*)?$/;
+function descriptor(validate) {
+  return { validate };
+}
+function isString(val) {
+  return typeof val === "string";
+}
+function isValidDate(year, month, day) {
+  const d = new Date(year, month - 1, day);
+  return d.getFullYear() === year && d.getMonth() === month - 1 && d.getDate() === day;
+}
+function isValidTime(hours, minutes, seconds) {
+  return hours >= 0 && hours <= 23 && minutes >= 0 && minutes <= 59 && seconds >= 0 && seconds <= 59;
+}
+var schema = {
+  string: descriptor((val) => {
+    if (!isString(val)) return false;
+    return !SQL_INJECTION_PATTERNS.some((p) => p.regex.test(val));
+  }),
+  number: descriptor((val) => typeof val === "number" && Number.isFinite(val)),
+  boolean: descriptor((val) => typeof val === "boolean"),
+  isoDate: descriptor((val) => {
+    if (!isString(val) || !ISO_DATE_REGEX.test(val)) return false;
+    const [y, m, d] = val.split("-").map(Number);
+    return isValidDate(y, m, d);
+  }),
+  isoTimestamp: descriptor((val) => {
+    if (!isString(val) || !ISO_TIMESTAMP_REGEX.test(val)) return false;
+    const [datePart, rest] = val.split("T");
+    const [y, m, d] = datePart.split("-").map(Number);
+    if (!isValidDate(y, m, d)) return false;
+    const timePart = rest.replace(/[Z+-].*$/, "");
+    const [hh, mm, ssRaw] = timePart.split(":");
+    const ss = parseFloat(ssRaw);
+    return isValidTime(Number(hh), Number(mm), Math.floor(ss));
+  }),
+  identifier: descriptor((val) => isString(val) && IDENTIFIER_REGEX.test(val)),
+  uuid: descriptor((val) => isString(val) && UUID_REGEX.test(val)),
+  positiveInt: descriptor((val) => typeof val === "number" && Number.isInteger(val) && val > 0),
+  s3Path: descriptor((val) => isString(val) && S3_PATH_REGEX.test(val)),
+  enum: (...values) => descriptor(
+    (val) => isString(val) && values.includes(val)
+  )
+};
+// src/index.ts
+function defineQuery(filePath, schemaDef) {
+  const { template, tokens } = loadTemplate(filePath);
+  if (schemaDef) {
+    const schemaKeys = Object.keys(schemaDef);
+    for (const key of schemaKeys) {
+      const desc = schemaDef[key];
+      if (!desc || typeof desc.validate !== "function") {
+        throw new Error(
+          `Invalid schema descriptor for '${key}': must have a validate(val) method`
+        );
+      }
+    }
+    const missingInSchema = tokens.filter((tok) => !schemaKeys.includes(tok));
+    if (missingInSchema.length > 0) {
+      throw new Error(
+        `Schema missing definitions for template variables: [${missingInSchema.join(", ")}]`
+      );
+    }
+    const extraInSchema = schemaKeys.filter((k) => !tokens.includes(k));
+    if (extraInSchema.length > 0) {
+      throw new Error(
+        `Schema defines variables not in template: [${extraInSchema.join(", ")}]`
+      );
+    }
+  }
+  return (params) => {
+    const paramKeys = Object.keys(params);
+    const missing = tokens.filter((tok) => !paramKeys.includes(tok));
+    if (missing.length > 0) {
+      throw new Error(`Missing variables in params: [${missing.join(", ")}]`);
+    }
+    const extra = paramKeys.filter((k) => !tokens.includes(k));
+    if (extra.length > 0) {
+      throw new Error(`Extra variables not in template: [${extra.join(", ")}]`);
+    }
+    const values = {};
+    for (const key of tokens) {
+      const value = params[key];
+      if (schemaDef) {
+        if (value === null || value === void 0) {
+          throw new Error(`Validation failed for '${key}': value cannot be null or undefined`);
+        }
+        const desc = schemaDef[key];
+        if (!desc.validate(value)) {
+          throw new Error(
+            `Schema validation failed for '${key}': received ${typeof value} (${JSON.stringify(value)})`
+          );
+        }
+        values[key] = escapeValue(value);
+      } else {
+        values[key] = validateAndConvert(key, value);
+      }
+    }
+    return { sql: render(template, values) };
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  SQL_INJECTION_PATTERNS,
+  defineQuery,
+  schema
+});

package/dist/index.d.mts ADDED Viewed

@@ -0,0 +1,36 @@
+interface TypeDescriptor<T = unknown> {
+    readonly __phantom?: T;
+    validate(val: unknown): boolean;
+}
+declare const schema: {
+    string: TypeDescriptor<string>;
+    number: TypeDescriptor<number>;
+    boolean: TypeDescriptor<boolean>;
+    isoDate: TypeDescriptor<string>;
+    isoTimestamp: TypeDescriptor<string>;
+    identifier: TypeDescriptor<string>;
+    uuid: TypeDescriptor<string>;
+    positiveInt: TypeDescriptor<number>;
+    s3Path: TypeDescriptor<string>;
+    enum: <T extends string>(...values: T[]) => TypeDescriptor<T>;
+};
+type SchemaDefinition = Record<string, TypeDescriptor>;
+type InferParams<S extends SchemaDefinition> = {
+    [K in keyof S]: S[K] extends TypeDescriptor<infer T> ? T : never;
+};
+interface QueryResult {
+    sql: string;
+}
+type GenericQueryFn<T> = (params: T) => QueryResult;
+type SchemaQueryFn<S extends SchemaDefinition> = (params: InferParams<S>) => QueryResult;
+declare const SQL_INJECTION_PATTERNS: {
+    name: string;
+    regex: RegExp;
+}[];
+declare function defineQuery<S extends SchemaDefinition>(filePath: string, schemaDef: S): SchemaQueryFn<S>;
+declare function defineQuery<T extends Record<string, string | number | boolean>>(filePath: string): GenericQueryFn<T>;
+export { type GenericQueryFn, type InferParams, type QueryResult, SQL_INJECTION_PATTERNS, type SchemaDefinition, type SchemaQueryFn, type TypeDescriptor, defineQuery, schema };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,36 @@
+interface TypeDescriptor<T = unknown> {
+    readonly __phantom?: T;
+    validate(val: unknown): boolean;
+}
+declare const schema: {
+    string: TypeDescriptor<string>;
+    number: TypeDescriptor<number>;
+    boolean: TypeDescriptor<boolean>;
+    isoDate: TypeDescriptor<string>;
+    isoTimestamp: TypeDescriptor<string>;
+    identifier: TypeDescriptor<string>;
+    uuid: TypeDescriptor<string>;
+    positiveInt: TypeDescriptor<number>;
+    s3Path: TypeDescriptor<string>;
+    enum: <T extends string>(...values: T[]) => TypeDescriptor<T>;
+};
+type SchemaDefinition = Record<string, TypeDescriptor>;
+type InferParams<S extends SchemaDefinition> = {
+    [K in keyof S]: S[K] extends TypeDescriptor<infer T> ? T : never;
+};
+interface QueryResult {
+    sql: string;
+}
+type GenericQueryFn<T> = (params: T) => QueryResult;
+type SchemaQueryFn<S extends SchemaDefinition> = (params: InferParams<S>) => QueryResult;
+declare const SQL_INJECTION_PATTERNS: {
+    name: string;
+    regex: RegExp;
+}[];
+declare function defineQuery<S extends SchemaDefinition>(filePath: string, schemaDef: S): SchemaQueryFn<S>;
+declare function defineQuery<T extends Record<string, string | number | boolean>>(filePath: string): GenericQueryFn<T>;
+export { type GenericQueryFn, type InferParams, type QueryResult, SQL_INJECTION_PATTERNS, type SchemaDefinition, type SchemaQueryFn, type TypeDescriptor, defineQuery, schema };

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,200 @@
+// src/loader.ts
+import fs from "fs";
+import path from "path";
+var TOKEN_REGEX = /\{\{([a-zA-Z_][a-zA-Z0-9_]*)\}\}/g;
+function loadTemplate(filePath) {
+  const resolved = path.resolve(filePath);
+  if (!fs.existsSync(resolved)) {
+    throw new Error(`File not found: ${filePath}`);
+  }
+  const template = fs.readFileSync(resolved, "utf-8");
+  const seen = /* @__PURE__ */ new Set();
+  const tokens = [];
+  for (const match of template.matchAll(TOKEN_REGEX)) {
+    if (!seen.has(match[1])) {
+      seen.add(match[1]);
+      tokens.push(match[1]);
+    }
+  }
+  return { template, tokens };
+}
+// src/validator.ts
+var SQL_INJECTION_PATTERNS = [
+  { name: "inline comment", regex: /--/ },
+  { name: "block comment open", regex: /\/\*/ },
+  { name: "block comment close", regex: /\*\// },
+  { name: "statement separator", regex: /;/ },
+  { name: "DDL command", regex: /\b(DROP|ALTER|TRUNCATE|CREATE)\b/i },
+  { name: "UNION injection", regex: /\bUNION\s+(ALL\s+)?SELECT\b/i },
+  { name: "INSERT", regex: /\bINSERT\s+INTO\b/i },
+  { name: "DELETE", regex: /\bDELETE\s+FROM\b/i },
+  { name: "UPDATE", regex: /\bUPDATE\s+\S+\s+SET\b/i },
+  { name: "EXEC", regex: /\b(EXEC|EXECUTE)\b/i },
+  { name: "time-based injection", regex: /\b(SLEEP|BENCHMARK)\s*\(/i },
+  { name: "WAITFOR", regex: /\bWAITFOR\s+DELAY\b/i },
+  { name: "system procedure", regex: /\b(xp_|sp_)\w+/i },
+  { name: "GRANT/REVOKE", regex: /\b(GRANT|REVOKE)\b/i },
+  { name: "file operation", regex: /\b(LOAD_FILE|INTO\s+OUTFILE|INTO\s+DUMPFILE)\b/i },
+  { name: "LOAD DATA", regex: /\bLOAD\s+DATA\b/i }
+];
+function detectSqlInjection(key, value) {
+  for (const pattern of SQL_INJECTION_PATTERNS) {
+    if (pattern.regex.test(value)) {
+      throw new Error(
+        `SQL injection pattern detected in '${key}': value contains forbidden pattern (${pattern.name})`
+      );
+    }
+  }
+}
+function escapeValue(value) {
+  if (typeof value === "string") {
+    return value.replace(/'/g, "''");
+  }
+  return String(value);
+}
+function validateAndConvert(key, value) {
+  if (value === null || value === void 0) {
+    throw new Error(`Validation failed for '${key}': value cannot be null or undefined`);
+  }
+  switch (typeof value) {
+    case "number":
+      if (Number.isNaN(value) || !Number.isFinite(value)) {
+        throw new Error(`Validation failed for '${key}': expected a finite number`);
+      }
+      return String(value);
+    case "boolean":
+      return String(value);
+    case "string":
+      detectSqlInjection(key, value);
+      return escapeValue(value);
+    default:
+      throw new Error(
+        `Validation failed for '${key}': unsupported type '${typeof value}'`
+      );
+  }
+}
+// src/renderer.ts
+function render(template, values) {
+  let result = template;
+  for (const [key, value] of Object.entries(values)) {
+    const escaped = key.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    const pattern = new RegExp(`\\{\\{${escaped}\\}\\}`, "g");
+    result = result.replace(pattern, value);
+  }
+  return result;
+}
+// src/schema.ts
+var ISO_DATE_REGEX = /^\d{4}-\d{2}-\d{2}$/;
+var ISO_TIMESTAMP_REGEX = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d{1,6})?(Z|[+-]\d{2}:\d{2})$/;
+var IDENTIFIER_REGEX = /^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*){0,2}$/;
+var UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+var S3_PATH_REGEX = /^s3:\/\/[a-z0-9][a-z0-9.-]{1,61}[a-z0-9](\/[a-zA-Z0-9._\-/=]*)?$/;
+function descriptor(validate) {
+  return { validate };
+}
+function isString(val) {
+  return typeof val === "string";
+}
+function isValidDate(year, month, day) {
+  const d = new Date(year, month - 1, day);
+  return d.getFullYear() === year && d.getMonth() === month - 1 && d.getDate() === day;
+}
+function isValidTime(hours, minutes, seconds) {
+  return hours >= 0 && hours <= 23 && minutes >= 0 && minutes <= 59 && seconds >= 0 && seconds <= 59;
+}
+var schema = {
+  string: descriptor((val) => {
+    if (!isString(val)) return false;
+    return !SQL_INJECTION_PATTERNS.some((p) => p.regex.test(val));
+  }),
+  number: descriptor((val) => typeof val === "number" && Number.isFinite(val)),
+  boolean: descriptor((val) => typeof val === "boolean"),
+  isoDate: descriptor((val) => {
+    if (!isString(val) || !ISO_DATE_REGEX.test(val)) return false;
+    const [y, m, d] = val.split("-").map(Number);
+    return isValidDate(y, m, d);
+  }),
+  isoTimestamp: descriptor((val) => {
+    if (!isString(val) || !ISO_TIMESTAMP_REGEX.test(val)) return false;
+    const [datePart, rest] = val.split("T");
+    const [y, m, d] = datePart.split("-").map(Number);
+    if (!isValidDate(y, m, d)) return false;
+    const timePart = rest.replace(/[Z+-].*$/, "");
+    const [hh, mm, ssRaw] = timePart.split(":");
+    const ss = parseFloat(ssRaw);
+    return isValidTime(Number(hh), Number(mm), Math.floor(ss));
+  }),
+  identifier: descriptor((val) => isString(val) && IDENTIFIER_REGEX.test(val)),
+  uuid: descriptor((val) => isString(val) && UUID_REGEX.test(val)),
+  positiveInt: descriptor((val) => typeof val === "number" && Number.isInteger(val) && val > 0),
+  s3Path: descriptor((val) => isString(val) && S3_PATH_REGEX.test(val)),
+  enum: (...values) => descriptor(
+    (val) => isString(val) && values.includes(val)
+  )
+};
+// src/index.ts
+function defineQuery(filePath, schemaDef) {
+  const { template, tokens } = loadTemplate(filePath);
+  if (schemaDef) {
+    const schemaKeys = Object.keys(schemaDef);
+    for (const key of schemaKeys) {
+      const desc = schemaDef[key];
+      if (!desc || typeof desc.validate !== "function") {
+        throw new Error(
+          `Invalid schema descriptor for '${key}': must have a validate(val) method`
+        );
+      }
+    }
+    const missingInSchema = tokens.filter((tok) => !schemaKeys.includes(tok));
+    if (missingInSchema.length > 0) {
+      throw new Error(
+        `Schema missing definitions for template variables: [${missingInSchema.join(", ")}]`
+      );
+    }
+    const extraInSchema = schemaKeys.filter((k) => !tokens.includes(k));
+    if (extraInSchema.length > 0) {
+      throw new Error(
+        `Schema defines variables not in template: [${extraInSchema.join(", ")}]`
+      );
+    }
+  }
+  return (params) => {
+    const paramKeys = Object.keys(params);
+    const missing = tokens.filter((tok) => !paramKeys.includes(tok));
+    if (missing.length > 0) {
+      throw new Error(`Missing variables in params: [${missing.join(", ")}]`);
+    }
+    const extra = paramKeys.filter((k) => !tokens.includes(k));
+    if (extra.length > 0) {
+      throw new Error(`Extra variables not in template: [${extra.join(", ")}]`);
+    }
+    const values = {};
+    for (const key of tokens) {
+      const value = params[key];
+      if (schemaDef) {
+        if (value === null || value === void 0) {
+          throw new Error(`Validation failed for '${key}': value cannot be null or undefined`);
+        }
+        const desc = schemaDef[key];
+        if (!desc.validate(value)) {
+          throw new Error(
+            `Schema validation failed for '${key}': received ${typeof value} (${JSON.stringify(value)})`
+          );
+        }
+        values[key] = escapeValue(value);
+      } else {
+        values[key] = validateAndConvert(key, value);
+      }
+    }
+    return { sql: render(template, values) };
+  };
+}
+export {
+  SQL_INJECTION_PATTERNS,
+  defineQuery,
+  schema
+};

package/package.json ADDED Viewed

@@ -0,0 +1,52 @@
+{
+  "name": "sql-render",
+  "version": "0.1.0",
+  "description": "Type-safe {{variable}} templating for .sql files with built-in injection protection",
+  "author": "bug3",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "eslint src/ tests/",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "sql",
+    "sql-template",
+    "sql-render",
+    "sql-injection",
+    "athena",
+    "aws-athena",
+    "trino",
+    "query-builder",
+    "type-safe",
+    "schema-validation",
+    "typescript"
+  ],
+  "license": "MIT",
+  "engines": {
+    "node": ">=20"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.39.4",
+    "@types/node": "^25.5.2",
+    "eslint": "^9.39.4",
+    "sql-formatter": "^15.7.3",
+    "tsup": "^8.5.1",
+    "typescript": "^6.0.2",
+    "typescript-eslint": "^8.58.0",
+    "vitest": "^4.1.2"
+  }
+}