PyPI - velocity-python - Versions diffs - 0.1.2__tar.gz → 0.1.3__tar.gz - Mend

velocity-python 0.1.2tar.gz → 0.1.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (178) hide show

{velocity_python-0.1.2 → velocity_python-0.1.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: velocity-python
-Version: 0.1.2
+Version: 0.1.3
 Summary: A rapid application development library for interfacing with data storage
 Author-email: Velocity Team <info@codeclubs.org>
 License-Expression: MIT

{velocity_python-0.1.2 → velocity_python-0.1.3}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "velocity-python"
-version = "0.1.2"
+version = "0.1.3"
 authors = [
   { name="Velocity Team", email="info@codeclubs.org" },
 ]

{velocity_python-0.1.2 → velocity_python-0.1.3}/src/velocity/__init__.py RENAMED Viewed

@@ -1,4 +1,4 @@
-__version__ = version = "0.1.2"
+__version__ = version = "0.1.3"
 import importlib as _importlib

{velocity_python-0.1.2 → velocity_python-0.1.3}/src/velocity/db/core/column.py RENAMED Viewed

@@ -125,8 +125,9 @@ class Column:
         Returns the MAX() of this column, or 0 if table/column is missing.
         """
         try:
+            qcol = self.sql.quote_identifier(self.name)
             sql, vals = self.sql.select(
-                columns=f"max({self.name})", table=self.table.name, where=where
+                columns=f"max({qcol})", table=self.table.name, where=where
             )
             return self.tx.execute(sql, vals).scalar()
         except (exceptions.DbTableMissingError, exceptions.DbColumnMissingError):

{velocity_python-0.1.2 → velocity_python-0.1.3}/src/velocity/db/core/engine.py RENAMED Viewed

@@ -7,7 +7,7 @@ from contextlib import contextmanager
 from functools import wraps
 from velocity.db import exceptions
 from velocity.db.core.transaction import Transaction
-from velocity.db.utils import mask_config_for_display
+from velocity.db.utils import mask_config_for_display, mask_sensitive_in_string
 import logging
@@ -714,6 +714,10 @@ class Engine:
         if relevant_frames:
             enhanced_message += "\n\nCall Context:\n" + "".join(relevant_frames)
+        # Mask any credentials that may have leaked into driver error messages
+        # (e.g. connection strings containing password=...).
+        enhanced_message = mask_sensitive_in_string(enhanced_message)
         # Note: SQL formatting for logging is available via _format_sql_with_params,
         # but we intentionally avoid eager logging here.

{velocity_python-0.1.2 → velocity_python-0.1.3}/src/velocity/db/core/table.py RENAMED Viewed

@@ -1,3 +1,4 @@
+import logging
 import re
 import warnings
 import sqlparse
@@ -12,6 +13,8 @@ from velocity.db.core.decorators import (
     reset_id_on_dup_key,
 )
+_ddl_logger = logging.getLogger(__name__)
 class Query:
     """
@@ -252,6 +255,7 @@ class Table:
         )
         if kwds.get("sql_only", False):
             return sql, vals
+        _ddl_logger.warning("DDL CREATE INDEX on %s columns=%s unique=%s", self.name, columns, unique)
         self.tx.execute(sql, vals, cursor=self.cursor())
     def create_indexes(self, indexes, **kwds):
@@ -317,6 +321,7 @@ class Table:
         sql, vals = self.sql.drop_index(self.name, columns)
         if kwds.get("sql_only", False):
             return sql, vals
+        _ddl_logger.warning("DDL DROP INDEX on %s columns=%s", self.name, columns)
         self.tx.execute(sql, vals, cursor=self.cursor())
     @return_default(None)
@@ -325,6 +330,7 @@ class Table:
         Drops a column from this table.
         """
         sql, vals = self.sql.drop_column(self.name, column)
+        _ddl_logger.warning("DDL DROP COLUMN %s on %s", column, self.name)
         self.tx.execute(sql, vals, cursor=self.cursor())
     def create(self, columns=None, drop=False):
@@ -334,6 +340,7 @@ class Table:
         """
         columns = columns or {}
         sql, vals = self.sql.create_table(self.name, columns, drop)
+        _ddl_logger.warning("DDL CREATE TABLE %s columns=%s drop=%s", self.name, list(columns.keys()), drop)
         self.tx.execute(sql, vals, cursor=self.cursor())
     def drop(self):
@@ -341,6 +348,7 @@ class Table:
         Drops this table if it exists.
         """
         sql, vals = self.sql.drop_table(self.name)
+        _ddl_logger.warning("DDL DROP TABLE %s", self.name)
         self.tx.execute(sql, vals, cursor=self.cursor())
     def exists(self):
@@ -625,6 +633,7 @@ class Table:
         )
         if kwds.get("sql_only", False):
             return sql, vals
+        _ddl_logger.warning("DDL CREATE FOREIGN KEY on %s columns=%s ref=%s(%s)", self.name, columns, key_to_table, key_to_columns)
         return self.tx.execute(sql, vals, cursor=self.cursor())
     def drop_foreign_key(self, columns, key_to_table, key_to_columns="sys_id", **kwds):
@@ -636,6 +645,7 @@ class Table:
         )
         if kwds.get("sql_only", False):
             return sql, vals
+        _ddl_logger.warning("DDL DROP FOREIGN KEY on %s columns=%s ref=%s(%s)", self.name, columns, key_to_table, key_to_columns)
         return self.tx.execute(sql, vals, cursor=self.cursor())
     def rename(self, name, **kwds):
@@ -645,6 +655,7 @@ class Table:
         sql, vals = self.sql.rename_table(self.name, name)
         if kwds.get("sql_only", False):
             return sql, vals
+        _ddl_logger.warning("DDL RENAME TABLE %s to %s", self.name, name)
         self.tx.execute(sql, vals, cursor=self.cursor())
         self.name = name
@@ -784,6 +795,7 @@ class Table:
                 return statements[0]
             return statements
+        _ddl_logger.warning("DDL ALTER TABLE %s columns=%s mode=%s", self.name, list(columns.keys()), mode)
         for sql, vals in statements:
             if not sql:
                 continue
@@ -808,6 +820,7 @@ class Table:
         )
         if kwds.get("sql_only", False):
             return sql, vals
+        _ddl_logger.warning("DDL ALTER COLUMN TYPE on %s column=%s", self.name, column)
         self.tx.execute(sql, vals, cursor=self.cursor())
     @create_missing
@@ -1069,9 +1082,10 @@ class Table:
         """
         Returns the sum of the given column across rows matching `where`.
         """
+        qcol = self.sql.quote_identifier(column)
         sql, vals = self.sql.select(
             self.tx,
-            columns=f"coalesce(sum(coalesce({column},0)),0)",
+            columns=f"coalesce(sum(coalesce({qcol},0)),0)",
             table=self.name,
             where=where,
         )
@@ -1322,6 +1336,7 @@ class Table:
         )
         if kwds.get("sql_only", False):
             return sql, vals
+        _ddl_logger.warning("DDL CREATE VIEW %s temp=%s", name, temp)
         return self.tx.execute(sql, vals)
     def drop_view(self, name, silent=True, **kwds):
@@ -1331,6 +1346,7 @@ class Table:
         sql, vals = self.sql.drop_view(name=name, silent=silent)
         if kwds.get("sql_only", False):
             return sql, vals
+        _ddl_logger.warning("DDL DROP VIEW %s", name)
         return self.tx.execute(sql, vals)
     def alter_trigger(self, name="USER", state="ENABLE", **kwds):
@@ -1340,6 +1356,7 @@ class Table:
         sql, vals = self.sql.alter_trigger(table=self.name, state=state, name=name)
         if kwds.get("sql_only", False):
             return sql, vals
+        _ddl_logger.warning("DDL ALTER TRIGGER %s on %s state=%s", name, self.name, state)
         return self.tx.execute(sql, vals)
     def rename_column(self, orig, new, **kwds):
@@ -1349,6 +1366,7 @@ class Table:
         sql, vals = self.sql.rename_column(table=self.name, orig=orig, new=new)
         if kwds.get("sql_only", False):
             return sql, vals
+        _ddl_logger.warning("DDL RENAME COLUMN on %s %s -> %s", self.name, orig, new)
         return self.tx.execute(sql, vals)
     def set_sequence(self, next_value=1000, **kwds):
@@ -1358,6 +1376,7 @@ class Table:
         sql, vals = self.sql.set_sequence(table=self.name, next_value=next_value)
         if kwds.get("sql_only", False):
             return sql, vals
+        _ddl_logger.warning("DDL SET SEQUENCE on %s next_value=%s", self.name, next_value)
         return self.tx.execute(sql, vals).scalar()
     def get_sequence(self, **kwds):
@@ -1396,8 +1415,9 @@ class Table:
         """
         Returns the MAX() of the specified column.
         """
+        qcol = self.sql.quote_identifier(column)
         sql, vals = self.sql.select(
-            self.tx, columns=f"max({column})", table=self.name, where=where
+            self.tx, columns=f"max({qcol})", table=self.name, where=where
         )
         if kwds.get("sql_only", False):
             return sql, vals
@@ -1408,8 +1428,9 @@ class Table:
         """
         Returns the MIN() of the specified column.
         """
+        qcol = self.sql.quote_identifier(column)
         sql, vals = self.sql.select(
-            self.tx, columns=f"min({column})", table=self.name, where=where
+            self.tx, columns=f"min({qcol})", table=self.name, where=where
         )
         if kwds.get("sql_only", False):
             return sql, vals

{velocity_python-0.1.2 → velocity_python-0.1.3}/src/velocity/db/servers/base/sql.py RENAMED Viewed

@@ -38,6 +38,16 @@ class BaseSQLDialect(ABC):
     DatabaseObjectExistsErrorCodes: List[str] = []
     DataIntegrityErrorCodes: List[str] = []
+    @classmethod
+    def quote_identifier(cls, name: str) -> str:
+        """Always-quote a single SQL identifier to prevent injection.
+        Uses standard SQL double-quoting.  Dialect subclasses override for
+        MySQL (backticks) and SQL Server (brackets).
+        """
+        escaped = name.replace('"', '""')
+        return f'"{escaped}"'
     @classmethod
     @abstractmethod
     def get_error(cls, e: Exception) -> Optional[str]:

{velocity_python-0.1.2 → velocity_python-0.1.3}/src/velocity/db/servers/mysql/sql.py RENAMED Viewed

@@ -48,6 +48,11 @@ class SQL(BaseSQLDialect):
     type_column_identifier = "DATA_TYPE"
     is_nullable = "IS_NULLABLE"
+    @classmethod
+    def quote_identifier(cls, name: str) -> str:
+        escaped = name.replace('`', '``')
+        return f'`{escaped}`'
     default_schema = ""
     ApplicationErrorCodes = []

{velocity_python-0.1.2 → velocity_python-0.1.3}/src/velocity/db/servers/sqlserver/sql.py RENAMED Viewed

@@ -48,6 +48,11 @@ class SQL(BaseSQLDialect):
     type_column_identifier = "DATA_TYPE"
     is_nullable = "IS_NULLABLE"
+    @classmethod
+    def quote_identifier(cls, name: str) -> str:
+        escaped = name.replace(']', ']]')
+        return f'[{escaped}]'
     default_schema = "dbo"
     # SQL Server error numbers

{velocity_python-0.1.2 → velocity_python-0.1.3}/src/velocity_python.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: velocity-python
-Version: 0.1.2
+Version: 0.1.3
 Summary: A rapid application development library for interfacing with data storage
 Author-email: Velocity Team <info@codeclubs.org>
 License-Expression: MIT

{velocity_python-0.1.2 → velocity_python-0.1.3}/src/velocity_python.egg-info/SOURCES.txt RENAMED Viewed

@@ -169,6 +169,7 @@ tests/test_psycopg3_upgrade.py
 tests/test_query_cache.py
 tests/test_row_batch_update.py
 tests/test_row_cache_staleness.py
+tests/test_security_hardening.py
 tests/test_sqs_per_record_transactions.py
 tests/test_sys_modified_count_postgres_demo.py
 tests/test_table_alter.py

velocity_python-0.1.3/tests/test_security_hardening.py ADDED Viewed

@@ -0,0 +1,256 @@
+"""
+Tests for R10 — Security Hardening: column quoting, DDL logging, credential masking.
+"""
+import logging
+import re
+import pytest
+from unittest.mock import MagicMock, patch, call
+from velocity.db.servers.base.sql import BaseSQLDialect
+# ──────────────────────────────────────────────────────────────────────
+# quote_identifier tests
+# ──────────────────────────────────────────────────────────────────────
+class TestQuoteIdentifier:
+    """Verify quote_identifier on each dialect."""
+    def test_base_dialect_double_quotes(self):
+        assert BaseSQLDialect.quote_identifier("amount") == '"amount"'
+    def test_base_dialect_escapes_internal_quotes(self):
+        assert BaseSQLDialect.quote_identifier('col"name') == '"col""name"'
+    def test_base_dialect_prevents_injection(self):
+        malicious = 'sys_id); DROP TABLE users; --'
+        quoted = BaseSQLDialect.quote_identifier(malicious)
+        # Must be a single quoted identifier — entire payload wrapped in quotes
+        assert quoted.startswith('"')
+        assert quoted.endswith('"')
+        assert quoted == '"sys_id); DROP TABLE users; --"'
+        # When embedded in SQL like max("sys_id); DROP TABLE users; --"),
+        # the DB treats the whole thing as one (non-existent) column name
+    def test_postgres_inherits_default(self):
+        from velocity.db.servers.postgres.sql import SQL as PgSQL
+        assert PgSQL.quote_identifier("balance") == '"balance"'
+    def test_mysql_uses_backticks(self):
+        from velocity.db.servers.mysql.sql import SQL as MySqlSQL
+        assert MySqlSQL.quote_identifier("balance") == "`balance`"
+    def test_mysql_escapes_backtick(self):
+        from velocity.db.servers.mysql.sql import SQL as MySqlSQL
+        assert MySqlSQL.quote_identifier("col`name") == "`col``name`"
+    def test_sqlserver_uses_brackets(self):
+        from velocity.db.servers.sqlserver.sql import SQL as SsSQL
+        assert SsSQL.quote_identifier("balance") == "[balance]"
+    def test_sqlserver_escapes_bracket(self):
+        from velocity.db.servers.sqlserver.sql import SQL as SsSQL
+        assert SsSQL.quote_identifier("col]name") == "[col]]name]"
+# ──────────────────────────────────────────────────────────────────────
+# Aggregate column quoting integration tests
+# ──────────────────────────────────────────────────────────────────────
+def _make_table():
+    """Create a Table with a mocked transaction and Postgres SQL dialect."""
+    from velocity.db.core.table import Table
+    from velocity.db.servers.postgres.sql import SQL as PgSQL
+    tx = MagicMock()
+    tx.engine.sql = PgSQL
+    table = Table(tx, "accounts")
+    table._cursor_obj = MagicMock()
+    return table
+class TestAggregateQuoting:
+    """Verify aggregate SQL uses quoted column names."""
+    def test_sum_quotes_column(self):
+        table = _make_table()
+        sql, _ = table.sum("balance", sql_only=True)
+        # Column should be double-quoted inside the aggregate
+        assert '"balance"' in sql
+        assert 'sum(coalesce("balance"' in sql
+    def test_max_quotes_column(self):
+        table = _make_table()
+        sql, _ = table.max("amount", sql_only=True)
+        assert 'max("amount")' in sql
+    def test_min_quotes_column(self):
+        table = _make_table()
+        sql, _ = table.min("amount", sql_only=True)
+        assert 'min("amount")' in sql
+    def test_sum_injection_prevented(self):
+        table = _make_table()
+        malicious = "balance); DROP TABLE users; --"
+        sql, _ = table.sum(malicious, sql_only=True)
+        # The malicious payload should be inside quotes, not executable
+        assert "DROP TABLE" not in sql.split('"')[-1]  # not outside quotes
+    def test_max_injection_prevented(self):
+        table = _make_table()
+        malicious = "x); DELETE FROM accounts; --"
+        sql, _ = table.max(malicious, sql_only=True)
+        assert "DELETE" not in sql.replace('"', "").split(")")[0]
+# ──────────────────────────────────────────────────────────────────────
+# DDL audit logging tests
+# ──────────────────────────────────────────────────────────────────────
+class TestDDLAuditLogging:
+    """Verify DDL operations emit WARNING log messages."""
+    def _make_table_with_sql(self):
+        from velocity.db.core.table import Table
+        tx = MagicMock()
+        sql_dialect = MagicMock()
+        sql_dialect.create_table.return_value = ("CREATE TABLE ...", [])
+        sql_dialect.drop_table.return_value = ("DROP TABLE ...", [])
+        sql_dialect.create_index.return_value = ("CREATE INDEX ...", [])
+        sql_dialect.drop_index.return_value = ("DROP INDEX ...", [])
+        sql_dialect.drop_column.return_value = ("ALTER TABLE DROP COLUMN ...", [])
+        sql_dialect.create_foreign_key.return_value = ("ALTER TABLE ADD FK ...", [])
+        sql_dialect.rename_table.return_value = ("ALTER TABLE RENAME ...", [])
+        sql_dialect.rename_column.return_value = ("ALTER TABLE RENAME COLUMN ...", [])
+        sql_dialect.alter_trigger.return_value = ("ALTER TABLE TRIGGER ...", [])
+        sql_dialect.create_view.return_value = ("CREATE VIEW ...", [])
+        sql_dialect.drop_view.return_value = ("DROP VIEW ...", [])
+        sql_dialect.set_sequence.return_value = ("ALTER SEQUENCE ...", [])
+        sql_dialect.alter_column_by_type.return_value = ("ALTER COLUMN ...", [])
+        tx.engine.sql = sql_dialect
+        tx.execute.return_value = MagicMock(cursor=MagicMock(), scalar=MagicMock(return_value=0))
+        table = Table(tx, "test_table")
+        table._cursor_obj = MagicMock()
+        return table
+    def test_create_table_logs_warning(self, caplog):
+        table = self._make_table_with_sql()
+        with caplog.at_level(logging.WARNING, logger="velocity.db.core.table"):
+            table.create(columns={"name": "text", "age": "int"})
+        assert any("DDL CREATE TABLE test_table" in r.message for r in caplog.records)
+        assert any("name" in r.message and "age" in r.message for r in caplog.records)
+    def test_drop_table_logs_warning(self, caplog):
+        table = self._make_table_with_sql()
+        with caplog.at_level(logging.WARNING, logger="velocity.db.core.table"):
+            table.drop()
+        assert any("DDL DROP TABLE test_table" in r.message for r in caplog.records)
+    def test_create_index_logs_warning(self, caplog):
+        table = self._make_table_with_sql()
+        with caplog.at_level(logging.WARNING, logger="velocity.db.core.table"):
+            table.create_index(columns=["email"], unique=True)
+        assert any("DDL CREATE INDEX" in r.message and "unique=True" in r.message for r in caplog.records)
+    def test_drop_column_logs_warning(self, caplog):
+        table = self._make_table_with_sql()
+        with caplog.at_level(logging.WARNING, logger="velocity.db.core.table"):
+            table.drop_column("old_col")
+        assert any("DDL DROP COLUMN old_col" in r.message for r in caplog.records)
+    def test_rename_column_logs_warning(self, caplog):
+        table = self._make_table_with_sql()
+        with caplog.at_level(logging.WARNING, logger="velocity.db.core.table"):
+            table.rename_column("old", "new")
+        assert any("DDL RENAME COLUMN" in r.message and "old -> new" in r.message for r in caplog.records)
+    def test_sql_only_does_not_log(self, caplog):
+        """sql_only=True should return SQL without logging."""
+        table = self._make_table_with_sql()
+        with caplog.at_level(logging.WARNING, logger="velocity.db.core.table"):
+            result = table.create_index(columns=["email"], sql_only=True)
+        assert not any("DDL" in r.message for r in caplog.records)
+        assert result is not None  # Should return the SQL tuple
+# ──────────────────────────────────────────────────────────────────────
+# Credential masking in error messages
+# ──────────────────────────────────────────────────────────────────────
+class TestCredentialMasking:
+    """Verify credentials are masked in error messages raised by process_error."""
+    def test_password_masked_in_connection_error(self):
+        from velocity.db.core.engine import Engine
+        from velocity.db import exceptions
+        engine = MagicMock(spec=Engine)
+        engine.sql = MagicMock()
+        engine.sql.get_error.return_value = (None, "connection refused")
+        engine.sql.ConnectionErrorCodes = []
+        engine.sql.ApplicationErrorCodes = []
+        engine.sql.ColumnMissingErrorCodes = []
+        engine.sql.TableMissingErrorCodes = []
+        engine.sql.DatabaseMissingErrorCodes = []
+        engine.sql.ForeignKeyMissingErrorCodes = []
+        engine.sql.TruncationErrorCodes = []
+        engine.sql.DataIntegrityErrorCodes = []
+        engine.sql.DuplicateKeyErrorCodes = []
+        engine.sql.DatabaseObjectExistsErrorCodes = []
+        engine.sql.LockTimeoutErrorCodes = []
+        engine.sql.RetryTransactionCodes = []
+        engine.sql.is_connection_error_message.return_value = False
+        # Simulate a driver error that includes a password in its message
+        exc = Exception("connection to host=db.example.com password=s3cret123 failed")
+        with pytest.raises(Exception) as exc_info:
+            Engine.process_error(engine, exc)
+        msg = str(exc_info.value)
+        assert "s3cret123" not in msg
+        assert "*****" in msg
+    def test_url_credentials_masked(self):
+        from velocity.db.core.engine import Engine
+        engine = MagicMock(spec=Engine)
+        engine.sql = MagicMock()
+        engine.sql.get_error.return_value = (None, "fail")
+        engine.sql.ConnectionErrorCodes = []
+        engine.sql.ApplicationErrorCodes = []
+        engine.sql.ColumnMissingErrorCodes = []
+        engine.sql.TableMissingErrorCodes = []
+        engine.sql.DatabaseMissingErrorCodes = []
+        engine.sql.ForeignKeyMissingErrorCodes = []
+        engine.sql.TruncationErrorCodes = []
+        engine.sql.DataIntegrityErrorCodes = []
+        engine.sql.DuplicateKeyErrorCodes = []
+        engine.sql.DatabaseObjectExistsErrorCodes = []
+        engine.sql.LockTimeoutErrorCodes = []
+        engine.sql.RetryTransactionCodes = []
+        engine.sql.is_connection_error_message.return_value = False
+        exc = Exception("could not connect to postgresql://admin:supersecret@db:5432/mydb")
+        with pytest.raises(Exception) as exc_info:
+            Engine.process_error(engine, exc)
+        msg = str(exc_info.value)
+        assert "supersecret" not in msg
+        assert "*****" in msg
+    def test_mask_sensitive_in_string_function(self):
+        from velocity.db.utils import mask_sensitive_in_string
+        # password= pattern
+        assert "s3cret" not in mask_sensitive_in_string("password=s3cret host=db")
+        # URL pattern
+        assert "mypass" not in mask_sensitive_in_string("postgresql://user:mypass@host/db")
+        # No credentials — unchanged
+        assert mask_sensitive_in_string("normal error text") == "normal error text"