vibesql-cli 0.1.3

Command-line interface for vibesql SQL database
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

use std::{
    fs::File,
    io::{BufRead, BufReader},
};

use vibesql_storage::Database;

/// Validate table name to prevent SQL injection
/// Returns an error if the table doesn't exist in the database
pub fn validate_table_name(db: &Database, table_name: &str) -> anyhow::Result<()> {
    // Check if table exists in the database
    if db.get_table(table_name).is_none() {
        return Err(anyhow::anyhow!("Table '{}' does not exist", table_name));
    }
    Ok(())
}

/// Validate CSV column names against table schema to prevent SQL injection
/// Returns an error if columns don't match the table schema
pub fn validate_csv_columns(
    db: &Database,
    file_path: &str,
    table_name: &str,
) -> anyhow::Result<()> {
    // Get table schema
    let table = db
        .get_table(table_name)
        .ok_or_else(|| anyhow::anyhow!("Table '{}' does not exist", table_name))?;

    // Read CSV header
    let file = File::open(file_path)
        .map_err(|e| anyhow::anyhow!("Failed to open file '{}': {}", file_path, e))?;
    let reader = BufReader::new(file);
    let mut lines = reader.lines();

    let header_line = lines
        .next()
        .ok_or_else(|| anyhow::anyhow!("CSV file is empty"))?
        .map_err(|e| anyhow::anyhow!("Failed to read header: {}", e))?;

    let csv_columns: Vec<&str> = header_line.split(',').map(|s| s.trim()).collect();

    // Validate each column name
    for col_name in &csv_columns {
        // Check for SQL injection characters
        if col_name.contains(';')
            || col_name.contains('\'')
            || col_name.contains('"')
            || col_name.contains('(')
            || col_name.contains(')')
        {
            return Err(anyhow::anyhow!(
                "Invalid column name '{}': contains forbidden characters",
                col_name
            ));
        }

        // Check if column exists in table schema
        let column_exists =
            table.schema.columns.iter().any(|c| c.name.eq_ignore_ascii_case(col_name));

        if !column_exists {
            return Err(anyhow::anyhow!(
                "Column '{}' does not exist in table '{}'",
                col_name,
                table_name
            ));
        }
    }

    Ok(())
}

/// Validate JSON column names against table schema to prevent SQL injection
/// Returns an error if columns don't match the table schema
pub fn validate_json_columns(
    db: &Database,
    file_path: &str,
    table_name: &str,
) -> anyhow::Result<()> {
    use std::fs;

    // Get table schema
    let table = db
        .get_table(table_name)
        .ok_or_else(|| anyhow::anyhow!("Table '{}' does not exist", table_name))?;

    // Read JSON file
    let json_content = fs::read_to_string(file_path)
        .map_err(|e| anyhow::anyhow!("Failed to read file '{}': {}", file_path, e))?;

    // Parse as array of objects
    let json_array: Vec<serde_json::Map<String, serde_json::Value>> =
        serde_json::from_str(&json_content)
            .map_err(|e| anyhow::anyhow!("Invalid JSON format: {}", e))?;

    if json_array.is_empty() {
        return Err(anyhow::anyhow!("JSON file contains no data"));
    }

    // Extract column names from first object
    let first_obj = &json_array[0];
    let json_columns: Vec<&str> = first_obj.keys().map(|s| s.as_str()).collect();

    // Validate each column name
    for col_name in &json_columns {
        // Check for SQL injection characters
        if col_name.contains(';')
            || col_name.contains('\'')
            || col_name.contains('"')
            || col_name.contains('(')
            || col_name.contains(')')
        {
            return Err(anyhow::anyhow!(
                "Invalid column name '{}': contains forbidden characters",
                col_name
            ));
        }

        // Check if column exists in table schema
        let column_exists =
            table.schema.columns.iter().any(|c| c.name.eq_ignore_ascii_case(col_name));

        if !column_exists {
            return Err(anyhow::anyhow!(
                "Column '{}' does not exist in table '{}'",
                col_name,
                table_name
            ));
        }
    }

    Ok(())
}