1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
|
// Enhanced SQL query builder with proper validation and complex WHERE support
use anyhow::{Context, Result};
use regex::Regex;
use serde_json::Value;
use crate::config::Config;
use crate::models::{FilterCondition, FilterOperator, OrderBy, OrderDirection};
/// Parse a table reference possibly containing an alias into (base_table, alias)
/// Accepts formats like: "table", "table alias", "table AS alias" (AS case-insensitive)
pub fn parse_table_and_alias(input: &str) -> (String, Option<String>) {
let s = input.trim();
// Normalize multiple spaces
let parts: Vec<&str> = s.split_whitespace().collect();
if parts.is_empty() {
return (String::new(), None);
}
if parts.len() == 1 {
return (parts[0].to_string(), None);
}
if parts.len() >= 3 && parts[1].eq_ignore_ascii_case("AS") {
// table AS alias [ignore extra]
return (parts[0].to_string(), Some(parts[2].to_string()));
}
// table alias
(parts[0].to_string(), Some(parts[1].to_string()))
}
/// Validates a table name against known tables and SQL injection patterns
pub fn validate_table_name(table: &str, config: &Config) -> Result<()> {
// Check if empty
if table.trim().is_empty() {
anyhow::bail!("Table name cannot be empty");
}
// Check against known tables list
let known_tables = config.get_known_tables();
if !known_tables.contains(&table.to_string()) {
anyhow::bail!("Table '{}' is not in the known tables list", table);
}
// Validate format: only alphanumeric and underscores, must start with letter
let table_regex =
Regex::new(r"^[a-zA-Z][a-zA-Z0-9_]*$").context("Failed to compile table name regex")?;
if !table_regex.is_match(table) {
anyhow::bail!("Invalid table name format: '{}'. Must start with a letter and contain only letters, numbers, and underscores", table);
}
// Additional security: check for SQL keywords and dangerous patterns
let dangerous_patterns = [
"--", "/*", "*/", ";", "DROP", "ALTER", "CREATE", "EXEC", "EXECUTE",
];
let table_upper = table.to_uppercase();
for pattern in &dangerous_patterns {
if table_upper.contains(pattern) {
anyhow::bail!("Table name contains forbidden pattern: '{}'", pattern);
}
}
Ok(())
}
/// Validates a column name against SQL injection patterns
/// Supports: column, table.column, table.column as alias, table.*
pub fn validate_column_name(column: &str) -> Result<()> {
// Check if empty
if column.trim().is_empty() {
anyhow::bail!("Column name cannot be empty");
}
// Allow * for SELECT all
if column == "*" {
return Ok(());
}
// Check for SQL injection patterns (comments and statement terminators)
let dangerous_chars = ["--", "/*", "*/", ";"];
for pattern in &dangerous_chars {
if column.contains(pattern) {
anyhow::bail!("Column name contains forbidden pattern: '{}'", pattern);
}
}
// Note: We don't block SQL keywords like DROP, CREATE, ALTER etc. in column names
// because legitimate columns like "created_date", "created_by" contain these as substrings.
// The regex validation below ensures only alphanumeric + underscore characters are allowed,
// which prevents actual SQL injection while allowing valid column names.
// Support multiple formats:
// 1. Simple column: column_name
// 2. Qualified column: table.column_name
// 3. Wildcard: table.*
// 4. Alias: column_name as alias or table.column_name as alias
// Remove AS alias if present (case insensitive)
let column_upper = column.to_uppercase();
let column_without_alias = if column_upper.contains(" AS ") {
column.split_whitespace().next().unwrap_or("")
} else {
column
};
// Check for qualified column (table.column or table.*)
if column_without_alias.contains('.') {
let parts: Vec<&str> = column_without_alias.split('.').collect();
if parts.len() != 2 {
anyhow::bail!(
"Invalid qualified column format: '{}'. Must be table.column",
column
);
}
// Validate table part
let table_regex =
Regex::new(r"^[a-zA-Z][a-zA-Z0-9_]*$").context("Failed to compile table regex")?;
if !table_regex.is_match(parts[0]) {
anyhow::bail!("Invalid table name in qualified column: '{}'", parts[0]);
}
// Validate column part (allow * for table.*)
if parts[1] != "*" {
let column_regex =
Regex::new(r"^[a-zA-Z][a-zA-Z0-9_]*$").context("Failed to compile column regex")?;
if !column_regex.is_match(parts[1]) {
anyhow::bail!("Invalid column name in qualified column: '{}'", parts[1]);
}
}
} else {
// Simple column name validation
let column_regex = Regex::new(r"^[a-zA-Z][a-zA-Z0-9_]*$")
.context("Failed to compile column name regex")?;
if !column_regex.is_match(column_without_alias) {
anyhow::bail!("Invalid column name format: '{}'. Must start with a letter and contain only letters, numbers, and underscores", column);
}
}
Ok(())
}
/// Validates multiple column names
pub fn validate_column_names(columns: &[String]) -> Result<()> {
for column in columns {
validate_column_name(column).with_context(|| format!("Invalid column name: {}", column))?;
}
Ok(())
}
/// Build WHERE clause from enhanced FilterCondition
/// Supports complex operators (=, !=, >, <, LIKE, IN, IS NULL, etc.) and nested logic (AND, OR, NOT)
pub fn build_filter_clause(filter: &FilterCondition) -> Result<(String, Vec<String>)> {
match filter {
FilterCondition::Simple {
column,
operator,
value,
} => {
validate_column_name(column)?;
build_simple_condition(column, operator, value)
}
FilterCondition::Logical {
and_conditions,
or_conditions,
} => {
if let Some(and_conds) = and_conditions {
if and_conds.is_empty() {
anyhow::bail!("AND conditions array cannot be empty");
}
let mut conditions = Vec::new();
let mut all_values = Vec::new();
for cond in and_conds {
let (sql, values) = build_filter_clause(cond)?;
conditions.push(format!("({})", sql));
all_values.extend(values);
}
Ok((conditions.join(" AND "), all_values))
} else if let Some(or_conds) = or_conditions {
if or_conds.is_empty() {
anyhow::bail!("OR conditions array cannot be empty");
}
let mut conditions = Vec::new();
let mut all_values = Vec::new();
for cond in or_conds {
let (sql, values) = build_filter_clause(cond)?;
conditions.push(format!("({})", sql));
all_values.extend(values);
}
Ok((conditions.join(" OR "), all_values))
} else {
anyhow::bail!("Logical condition must have either 'and' or 'or' field");
}
}
FilterCondition::Not { not } => {
let (sql, values) = build_filter_clause(not)?;
Ok((format!("NOT ({})", sql), values))
}
}
}
/// Build a simple condition (column operator value)
fn build_simple_condition(
column: &str,
operator: &FilterOperator,
value: &Value,
) -> Result<(String, Vec<String>)> {
match operator {
FilterOperator::Eq => {
if value.is_null() {
Ok((format!("{} IS NULL", column), vec![]))
} else {
Ok((format!("{} = ?", column), vec![json_to_sql_string(value)]))
}
}
FilterOperator::Ne => {
if value.is_null() {
Ok((format!("{} IS NOT NULL", column), vec![]))
} else {
Ok((format!("{} != ?", column), vec![json_to_sql_string(value)]))
}
}
FilterOperator::Gt => Ok((format!("{} > ?", column), vec![json_to_sql_string(value)])),
FilterOperator::Gte => Ok((format!("{} >= ?", column), vec![json_to_sql_string(value)])),
FilterOperator::Lt => Ok((format!("{} < ?", column), vec![json_to_sql_string(value)])),
FilterOperator::Lte => Ok((format!("{} <= ?", column), vec![json_to_sql_string(value)])),
FilterOperator::Like => Ok((
format!("{} LIKE ?", column),
vec![json_to_sql_string(value)],
)),
FilterOperator::NotLike => Ok((
format!("{} NOT LIKE ?", column),
vec![json_to_sql_string(value)],
)),
FilterOperator::In => {
if let Value::Array(arr) = value {
if arr.is_empty() {
anyhow::bail!("IN operator requires non-empty array");
}
let placeholders = vec!["?"; arr.len()].join(", ");
let values: Vec<String> = arr.iter().map(json_to_sql_string).collect();
Ok((format!("{} IN ({})", column, placeholders), values))
} else {
anyhow::bail!("IN operator requires array value");
}
}
FilterOperator::NotIn => {
if let Value::Array(arr) = value {
if arr.is_empty() {
anyhow::bail!("NOT IN operator requires non-empty array");
}
let placeholders = vec!["?"; arr.len()].join(", ");
let values: Vec<String> = arr.iter().map(json_to_sql_string).collect();
Ok((format!("{} NOT IN ({})", column, placeholders), values))
} else {
anyhow::bail!("NOT IN operator requires array value");
}
}
FilterOperator::IsNull => {
// Value is ignored for IS NULL
Ok((format!("{} IS NULL", column), vec![]))
}
FilterOperator::IsNotNull => {
// Value is ignored for IS NOT NULL
Ok((format!("{} IS NOT NULL", column), vec![]))
}
FilterOperator::Between => {
if let Value::Array(arr) = value {
if arr.len() != 2 {
anyhow::bail!("BETWEEN operator requires array with exactly 2 values");
}
let val1 = json_to_sql_string(&arr[0]);
let val2 = json_to_sql_string(&arr[1]);
Ok((format!("{} BETWEEN ? AND ?", column), vec![val1, val2]))
} else {
anyhow::bail!("BETWEEN operator requires array with [min, max] values");
}
}
}
}
/// Convert JSON value to SQL string representation
/// Properly handles all JSON types including booleans (true/false -> 1/0)
fn json_to_sql_string(value: &Value) -> String {
match value {
Value::String(s) => s.clone(),
Value::Number(n) => n.to_string(),
Value::Bool(b) => {
if *b {
"1".to_string()
} else {
"0".to_string()
}
}
Value::Null => "NULL".to_string(),
_ => serde_json::to_string(value).unwrap_or_else(|_| "NULL".to_string()),
}
}
/// Build legacy WHERE clause from simple key-value JSON (for backward compatibility)
pub fn build_legacy_where_clause(where_clause: &Value) -> Result<(String, Vec<String>)> {
let mut conditions = Vec::new();
let mut values = Vec::new();
if let Value::Object(map) = where_clause {
for (key, value) in map {
validate_column_name(key)?;
if value.is_null() {
// Handle NULL values with IS NULL
conditions.push(format!("{} IS NULL", key));
// Don't add to values since IS NULL doesn't need a parameter
} else {
conditions.push(format!("{} = ?", key));
values.push(json_to_sql_string(value));
}
}
} else {
anyhow::bail!("WHERE clause must be an object");
}
if conditions.is_empty() {
anyhow::bail!("WHERE clause cannot be empty");
}
Ok((conditions.join(" AND "), values))
}
/// Build ORDER BY clause with column validation
pub fn build_order_by_clause(order_by: &[OrderBy]) -> Result<String> {
if order_by.is_empty() {
return Ok(String::new());
}
let mut clauses = Vec::new();
for order in order_by {
validate_column_name(&order.column)?;
let direction = match order.direction {
OrderDirection::ASC => "ASC",
OrderDirection::DESC => "DESC",
};
clauses.push(format!("{} {}", order.column, direction));
}
Ok(format!(" ORDER BY {}", clauses.join(", ")))
}
/// Build JOIN clause from Join specifications
/// Validates table names and join conditions for security
pub fn build_join_clause(joins: &[crate::models::Join], config: &Config) -> Result<String> {
if joins.is_empty() {
return Ok(String::new());
}
let mut join_sql = String::new();
for join in joins {
// Extract base table and optional alias
let (base_table, alias) = parse_table_and_alias(&join.table);
// Validate joined base table name
validate_table_name(&base_table, config)?;
// Optionally validate alias format (same rules as table/column names)
if let Some(alias_name) = &alias {
let alias_regex =
Regex::new(r"^[a-zA-Z][a-zA-Z0-9_]*$").context("Failed to compile alias regex")?;
if !alias_regex.is_match(alias_name) {
anyhow::bail!("Invalid table alias format: '{}'", alias_name);
}
}
// Validate join condition (must be in format "table1.column1 = table2.column2")
validate_join_condition(&join.on)?;
// Build JOIN clause based on type
let join_type_str = match join.join_type {
crate::models::JoinType::Inner => "INNER JOIN",
crate::models::JoinType::Left => "LEFT JOIN",
crate::models::JoinType::Right => "RIGHT JOIN",
};
// Reconstruct safe table reference
let table_ref = match alias {
Some(a) => format!("{} AS {}", base_table, a),
None => base_table,
};
join_sql.push_str(&format!(" {} {} ON {}", join_type_str, table_ref, join.on));
}
Ok(join_sql)
}
/// Validate JOIN ON condition
/// Must be in format: "table1.column1 = table2.column2" or similar simple conditions
fn validate_join_condition(condition: &str) -> Result<()> {
// Basic validation: must contain = and table.column references
if !condition.contains('=') {
anyhow::bail!("JOIN condition must contain = operator");
}
// Split by = and validate both sides
let parts: Vec<&str> = condition.split('=').map(|s| s.trim()).collect();
if parts.len() != 2 {
anyhow::bail!("JOIN condition must have exactly one = operator");
}
// Validate both sides are table.column format
for part in parts {
validate_table_column_reference(part)?;
}
Ok(())
}
/// Validate table.column reference (e.g., "assets.category_id")
fn validate_table_column_reference(reference: &str) -> Result<()> {
let parts: Vec<&str> = reference.split('.').collect();
if parts.len() != 2 {
anyhow::bail!(
"Table column reference must be in format 'table.column', got: {}",
reference
);
}
let table = parts[0].trim();
let column = parts[1].trim();
// Validate table and column names follow safe patterns
let name_regex =
Regex::new(r"^[a-zA-Z][a-zA-Z0-9_]*$").context("Failed to compile name regex")?;
if !name_regex.is_match(table) {
anyhow::bail!("Invalid table name in JOIN condition: {}", table);
}
if !name_regex.is_match(column) {
anyhow::bail!("Invalid column name in JOIN condition: {}", column);
}
// Additional guard against comment/terminator tokens (redundant given regex, but safe)
// Intentionally do NOT block SQL keywords like CREATE/ALTER since identifiers like
// 'created_at' are legitimate and already validated by the regex above.
let dangerous_tokens = ["--", "/*", "*/", ";"];
for token in &dangerous_tokens {
if reference.contains(token) {
anyhow::bail!("JOIN condition contains forbidden token: '{}'", token);
}
}
Ok(())
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_validate_table_name() {
// Valid names
assert!(validate_column_name("users").is_ok());
assert!(validate_column_name("asset_id").is_ok());
assert!(validate_column_name("table123").is_ok());
// Invalid names
assert!(validate_column_name("123table").is_err()); // starts with number
assert!(validate_column_name("table-name").is_err()); // contains hyphen
assert!(validate_column_name("table name").is_err()); // contains space
assert!(validate_column_name("table;DROP").is_err()); // SQL injection
assert!(validate_column_name("").is_err()); // empty
}
#[test]
fn test_validate_column_name() {
// Valid names
assert!(validate_column_name("user_id").is_ok());
assert!(validate_column_name("firstName").is_ok());
assert!(validate_column_name("*").is_ok()); // wildcard allowed
// Invalid names
assert!(validate_column_name("123column").is_err());
assert!(validate_column_name("col-umn").is_err());
assert!(validate_column_name("col umn").is_err());
assert!(validate_column_name("").is_err());
}
}
|
