diesel-guard 0.10.0

Linter for dangerous Postgres migration patterns in Diesel and SQLx. Prevents downtime caused by unsafe schema changes.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

//! Detection for DELETE and UPDATE statements with no WHERE clause.
//!
//! A `DELETE FROM table` or `UPDATE table SET ...` without a WHERE clause affects every row
//! in the table. In a migration this is almost always a mistake — a forgotten filter rather
//! than intentional bulk mutation. The ROW EXCLUSIVE
//! lock held for a full-table write can cause severe contention on large tables.

use crate::checks::pg_helpers::{NodeEnum, range_var_name};
use crate::checks::{Check, Config, MigrationContext};
use crate::violation::Violation;
use pg_query::protobuf::RangeVar;

pub struct MutationWithoutWhereCheck;

impl Check for MutationWithoutWhereCheck {
    fn check(&self, node: &NodeEnum, _config: &Config, _ctx: &MigrationContext) -> Vec<Violation> {
        match node {
            NodeEnum::DeleteStmt(stmt) => check_mutation(
                stmt.where_clause.is_some(),
                stmt.relation.as_ref(),
                "DELETE without WHERE",
                |table| {
                    format!(
                        "DELETE on '{table}' has no WHERE clause and will remove every row in the \
                        table. This is almost always a mistake in a migration. The lock held for \
                        a full-table delete can cause severe contention on large tables."
                    )
                },
                |table| {
                    format!(
                        "Add a WHERE clause to target only the rows you intend to remove:\n\n\
                        DELETE FROM {table} WHERE <condition>;\n\n\
                        If a full-table delete is intentional, wrap it in a safety-assured block:\n\n  \
                        -- safety-assured:start\n  \
                        -- Safe because: table is a temporary staging table, always empty in production\n  \
                        DELETE FROM {table};\n  \
                        -- safety-assured:end"
                    )
                },
            ),
            NodeEnum::UpdateStmt(stmt) => check_mutation(
                stmt.where_clause.is_some(),
                stmt.relation.as_ref(),
                "UPDATE without WHERE",
                |table| {
                    format!(
                        "UPDATE on '{table}' has no WHERE clause and will modify every row in the \
                        table. This is almost always a mistake in a migration. A full-table update \
                        holds a ROW EXCLUSIVE lock for the duration and rewrites every row, which \
                        can cause severe contention and bloat on large tables."
                    )
                },
                |table| {
                    format!(
                        "Add a WHERE clause to target only the rows you intend to update:\n\n\
                        UPDATE {table} SET ... WHERE <condition>;\n\n\
                        If updating every row is intentional (e.g. a one-time backfill), \
                        add a safety-assured block:\n\n  \
                        -- safety-assured:start\n  \
                        -- Safe because: one-time backfill, table has fewer than 10k rows\n  \
                        UPDATE {table} SET ...;\n  \
                        -- safety-assured:end"
                    )
                },
            ),
            _ => vec![],
        }
    }
}

fn check_mutation(
    where_clause_present: bool,
    relation: Option<&RangeVar>,
    operation: &'static str,
    problem: impl FnOnce(&str) -> String,
    safe_alternative: impl FnOnce(&str) -> String,
) -> Vec<Violation> {
    if where_clause_present {
        return vec![];
    }
    let table = relation.map(range_var_name).unwrap_or_default();
    vec![Violation::new(
        operation,
        problem(&table),
        safe_alternative(&table),
    )]
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::{assert_allows, assert_detects_violation};

    #[test]
    fn test_detects_delete_without_where() {
        assert_detects_violation!(
            MutationWithoutWhereCheck,
            "DELETE FROM users;",
            "DELETE without WHERE"
        );
    }

    #[test]
    fn test_detects_update_without_where() {
        assert_detects_violation!(
            MutationWithoutWhereCheck,
            "UPDATE users SET active = false;",
            "UPDATE without WHERE"
        );
    }

    #[test]
    fn test_allows_delete_with_where() {
        assert_allows!(MutationWithoutWhereCheck, "DELETE FROM users WHERE id = 1;");
    }

    #[test]
    fn test_allows_update_with_where() {
        assert_allows!(
            MutationWithoutWhereCheck,
            "UPDATE users SET active = false WHERE last_login < '2020-01-01';"
        );
    }

    #[test]
    fn test_ignores_truncate() {
        assert_allows!(MutationWithoutWhereCheck, "TRUNCATE TABLE users;");
    }

    #[test]
    fn test_ignores_select() {
        assert_allows!(MutationWithoutWhereCheck, "SELECT * FROM users;");
    }

    #[test]
    fn test_ignores_insert() {
        assert_allows!(
            MutationWithoutWhereCheck,
            "INSERT INTO users (name) VALUES ('alice');"
        );
    }
}