Logflare / logflare / 71bd0c4c0c7bbfadee95cd12aa3dca0c0f9e79da
81%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 474
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 80.45% (-0.02%) from 80.467%
71bd0c4c0c7bbfadee95cd12aa3dca0c0f9e79da

push

github

web-flow 
Apply validation to :pg_sql transform path to block DML and restricted functions (#3424)

* Apply validation to :pg_sql transform path to block DML and restricted functions

The :pg_sql transform path skipped validate_query/2, allowing DML statements
(UPDATE, INSERT, DELETE, DROP, etc.), wildcard SELECTs, multiple statements,
and unrestricted function calls against PostgreSQL backends.

This commit:
- Adds validate_query/2 to the :pg_sql transform pipeline, matching the
  existing BQ and ClickHouse paths
- Adds nil BQ-specific fields (user_project_id, logflare_project_id,
  sandboxed_query_ast) to the pg_sql data map so check_all_sources_allowed
  correctly enforces source allowlisting
- Introduces @pg_restricted_functions covering information-disclosure
  (current_user, session_user, pg_read_file, etc.) and destructive/DoS
  functions (pg_sleep, pg_terminate_backend, pg_reload_conf, etc.)
- Extends maybe_check_restricted_functions and
  list_restricted_functions_for_dialect to cover the "postgres" dialect
- Adds tests for all blocked cases (UPDATE, INSERT, DELETE, multi-statement,
  wildcard, restricted functions, unknown sources)

Closes PRODSEC-29

https://claude.ai/code/session_01YLSeN98zjRkz9Fj3hLFLkW

* Add postgres adaptor integration tests for DML query blocking

Verify that the Sql.transform validation is enforced end-to-end
through Endpoints.run_query_string for :pg_sql queries: UPDATE,
INSERT, DELETE, multi-statement, wildcard SELECT, and restricted
functions (current_user, pg_read_file) are all rejected, while
valid SELECT queries continue to work.

https://claude.ai/code/session_01YLSeN98zjRkz9Fj3hLFLkW

* Refactor DML blocking integration tests to use for/do comprehension

https://claude.ai/code/session_01YLSeN98zjRkz9Fj3hLFLkW

* Harden pg_sql validation: allowlist SELECT-only and block lo_import/lo_export

Switch check_select_statement_only from a blocklist to an allowlist that
only permits %{"Query" => _} AST nodes, blocking DDL state... (continued)

31 of 35 new or added lines in 2 files covered. (88.57%)

2 existing lines in 1 file now uncovered.

12654 of 15729 relevant lines covered (80.45%)

3768.0 hits per line

Uncovered Changes

Lines Coverage File
3
92.41
 -1.18% lib/logflare/endpoints.ex
1
96.84
 0.06% lib/logflare/sql.ex

Coverage Regressions

Lines Coverage File
2
74.36
 -5.13% lib/logflare/sources/counters.ex
Jobs
ID Job ID Ran Files Coverage
1 71bd0c4c0c7bbfadee95cd12aa3dca0c0f9e79da.1 474
80.45
 GitHub Action Run
Source Files on build 71bd0c4c0c7bbfadee95cd12aa3dca0c0f9e79da