supabase / supabase / 26405018480
73%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 94
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 72.146%. Remained the same
26405018480

push

github

web-flow 
feat(logs): brand ServiceFlow.sql.ts with SafeLogSqlFragment (#46336)

## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Refactor / security hardening (part 3 of stacked analytics safe-SQL
series; stacks on top of PR 2: "feat(logs): route unified-logs hooks
through executeAnalyticsSql")

## What is the current behavior?

`ServiceFlow.sql.ts` interpolates `logId` and `serviceType` as raw
template-literal strings directly into SQL (e.g. `` `WHERE el.id =
'${logId}'` ``). The legacy BigQuery branch of
`unified-log-inspection-query.ts` calls `post()` directly with a plain
`string`-typed SQL value, bypassing the `executeAnalyticsSql`
wire-boundary.

## What is the new behavior?

- Add `SAFE_SERVICE_LITERAL: Record<EdgeServiceType,
SafeLogSqlFragment>` — pre-branded SQL string literals for each service
type, built with `analyticsLiteral`.
- Rewrite `getBaseEdgeServiceFlowQuery`,
`getEdgeFunctionServiceFlowQuery`, and `getPostgresServiceFlowQuery` to
use `safeSql` template tag with `analyticsLiteral(logId)` and
`SAFE_SERVICE_LITERAL[serviceType]`. Return types changed to
`SafeLogSqlFragment`.
- Update the four thin wrappers (`getPostgrestServiceFlowQuery`,
`getAuthServiceFlowQuery`, `getStorageServiceFlowQuery`) to return
`SafeLogSqlFragment`.
- Replace `let sql = ''` + direct `post()` call in
`unified-log-inspection-query.ts`'s legacy BigQuery branch with `let
sql: SafeLogSqlFragment` + `executeAnalyticsSql`, eliminating the last
direct `post()` call to the analytics endpoint in this file.

`pnpm typecheck` passes cleanly.

## Additional context

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Secured analytics and log inspection queries through parameterized SQL
execution, preventing potential SQL injection vulnerabilities.

<!-- review_stack_entry_start -->

[![Review Chang... (continued)

972 of 1368 branches covered (71.05%)

Branch coverage included in aggregate %.

1499 of 2057 relevant lines covered (72.87%)

242.41 hits per line

Subprojects
ID Flag name Job ID Ran Files Coverage
1 studio-tests 26405018480.1 94
72.15
 GitHub Action Run
Source Files on build 26405018480