elif_orm/

security.rs

//! Security utilities for SQL injection prevention
//! 
//! This module provides functions for:
//! - Escaping SQL identifiers (table names, column names)
//! - Validating identifier names
//! - Query pattern validation

use crate::error::ModelError;
use std::collections::HashSet;

/// Characters allowed in SQL identifiers (alphanumeric, underscore, dollar)
const ALLOWED_IDENTIFIER_CHARS: &str = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$";

/// SQL keywords that must be escaped or rejected
static SQL_KEYWORDS: &[&str] = &[
    "SELECT", "INSERT", "UPDATE", "DELETE", "FROM", "WHERE", "JOIN", "UNION", 
    "DROP", "CREATE", "ALTER", "GRANT", "REVOKE", "TRUNCATE", "EXEC", "EXECUTE",
    "DECLARE", "CAST", "CONVERT", "SUBSTRING", "ASCII", "CHAR", "NCHAR",
    "SYSTEM", "USER", "SESSION_USER", "CURRENT_USER", "SUSER_NAME", "IS_MEMBER"
];

/// Escape a SQL identifier (table name, column name, etc.)
/// 
/// This function:
/// 1. Escapes any existing double quotes by doubling them
/// 2. Wraps the identifier in double quotes for safe SQL usage
/// 
/// This approach prioritizes escaping over validation - any identifier can be escaped safely.
/// 
/// # Arguments
/// * `identifier` - The identifier to escape
/// 
/// # Returns
/// * Escaped identifier safe for use in SQL
/// 
/// # Examples
/// ```
/// use elif_orm::security::escape_identifier;
/// 
/// assert_eq!(escape_identifier("user_table"), "\"user_table\"");
/// assert_eq!(escape_identifier("table\"name"), "\"table\"\"name\"");
/// ```
pub fn escape_identifier(identifier: &str) -> String {
    // Escape double quotes by doubling them
    let escaped = identifier.replace('\"', "\"\"");
    
    // Wrap in double quotes for PostgreSQL identifier escaping
    format!("\"{}\"", escaped)
}

/// Validate that an identifier is safe for use in SQL
/// 
/// # Arguments
/// * `identifier` - The identifier to validate
/// 
/// # Returns
/// * Ok(()) if valid, Err(ModelError) if invalid
pub fn validate_identifier(identifier: &str) -> Result<(), ModelError> {
    // Check for empty identifier
    if identifier.is_empty() {
        return Err(ModelError::Validation(
            "Identifier cannot be empty".to_string()
        ));
    }

    // Check length (PostgreSQL limit is 63 characters)
    if identifier.len() > 63 {
        return Err(ModelError::Validation(
            format!("Identifier '{}' is too long (max 63 characters)", identifier)
        ));
    }

    // Check for allowed characters only
    for c in identifier.chars() {
        if !ALLOWED_IDENTIFIER_CHARS.contains(c) {
            return Err(ModelError::Validation(
                format!("Identifier '{}' contains invalid character '{}'", identifier, c)
            ));
        }
    }

    // Check that it doesn't start with a number
    if identifier.chars().next().unwrap().is_ascii_digit() {
        return Err(ModelError::Validation(
            format!("Identifier '{}' cannot start with a number", identifier)
        ));
    }

    // Check against SQL keywords (case insensitive)
    let upper_identifier = identifier.to_uppercase();
    if SQL_KEYWORDS.contains(&upper_identifier.as_str()) {
        return Err(ModelError::Validation(
            format!("Identifier '{}' is a reserved SQL keyword", identifier)
        ));
    }

    Ok(())
}

/// Validate query pattern to prevent dangerous SQL constructs
/// 
/// # Arguments
/// * `sql` - The SQL query to validate
/// 
/// # Returns
/// * Ok(()) if safe, Err(ModelError) if potentially dangerous
pub fn validate_query_pattern(sql: &str) -> Result<(), ModelError> {
    let sql_upper = sql.to_uppercase();
    
    // Check for multiple statements (semicolon not at the end)
    let semicolon_positions: Vec<_> = sql.match_indices(';').collect();
    if semicolon_positions.len() > 1 || 
       (semicolon_positions.len() == 1 && semicolon_positions[0].0 != sql.trim().len() - 1) {
        return Err(ModelError::Validation(
            "Multiple SQL statements not allowed".to_string()
        ));
    }

    // Check for dangerous patterns
    let dangerous_patterns = [
        "EXEC ", "EXECUTE ", "SP_", "XP_", "OPENROWSET", "OPENDATASOURCE",
        "BULK INSERT", "BCP ", "SQLCMD", "OSQL", "ISQL",
        "UNION ALL SELECT", "UNION SELECT", "'; --", "'/*", "*/'",
        "INFORMATION_SCHEMA", "SYS.", "SYSOBJECTS", "SYSCOLUMNS"
    ];

    for pattern in &dangerous_patterns {
        if sql_upper.contains(pattern) {
            return Err(ModelError::Validation(
                format!("Query contains potentially dangerous pattern: {}", pattern)
            ));
        }
    }

    Ok(())
}

/// Validate parameter value to prevent injection through parameters
/// 
/// With the escape-focused approach, parameter validation is minimal since
/// parameters are properly parameterized and escaped by the database driver.
/// 
/// # Arguments
/// * `value` - The parameter value to validate
/// 
/// # Returns
/// * Ok(()) if safe, Err(ModelError) if potentially dangerous
pub fn validate_parameter(value: &str) -> Result<(), ModelError> {
    // Check for extremely long parameters (potential DoS)
    if value.len() > 65536 { // 64KB limit
        return Err(ModelError::Validation(
            "Parameter value too large (max 64KB)".to_string()
        ));
    }

    // With proper parameterization, most content is safe
    // Only reject if there are genuine protocol-level risks
    
    Ok(())
}

/// Create a whitelist-based identifier validator
/// 
/// This creates a validator that only allows specific identifiers from a predefined list.
/// Useful for table names and column names that should be strictly controlled.
pub struct IdentifierWhitelist {
    allowed: HashSet<String>,
}

impl IdentifierWhitelist {
    /// Create a new whitelist validator
    pub fn new(allowed_identifiers: Vec<&str>) -> Self {
        let allowed = allowed_identifiers.into_iter()
            .map(|s| s.to_string())
            .collect();
        Self { allowed }
    }

    /// Validate that an identifier is in the whitelist
    pub fn validate(&self, identifier: &str) -> Result<(), ModelError> {
        if self.allowed.contains(identifier) {
            Ok(())
        } else {
            Err(ModelError::Validation(
                format!("Identifier '{}' is not in the allowed whitelist", identifier)
            ))
        }
    }

    /// Get escaped identifier if it's in the whitelist
    pub fn escape_if_allowed(&self, identifier: &str) -> Result<String, ModelError> {
        self.validate(identifier)?;
        Ok(escape_identifier(identifier))
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_escape_identifier() {
        assert_eq!(escape_identifier("user_table"), "\"user_table\"");
        assert_eq!(escape_identifier("table\"name"), "\"table\"\"name\"");
        assert_eq!(escape_identifier("simple"), "\"simple\"");
    }

    #[test]
    fn test_validate_identifier() {
        assert!(validate_identifier("user_table").is_ok());
        assert!(validate_identifier("table1").is_ok());
        assert!(validate_identifier("_private").is_ok());
        
        assert!(validate_identifier("").is_err());
        assert!(validate_identifier("1table").is_err());
        assert!(validate_identifier("table-name").is_err());
        assert!(validate_identifier("table name").is_err());
        assert!(validate_identifier("SELECT").is_err());
        assert!(validate_identifier("select").is_err());
    }

    #[test]
    fn test_validate_query_pattern() {
        assert!(validate_query_pattern("SELECT * FROM users").is_ok());
        assert!(validate_query_pattern("INSERT INTO users VALUES ($1, $2)").is_ok());
        
        assert!(validate_query_pattern("SELECT * FROM users; DROP TABLE users").is_err());
        assert!(validate_query_pattern("SELECT * FROM users UNION SELECT * FROM secrets").is_err());
        assert!(validate_query_pattern("EXEC sp_executesql 'SELECT * FROM users'").is_err());
    }

    #[test]
    fn test_validate_parameter() {
        assert!(validate_parameter("normal value").is_ok());
        assert!(validate_parameter("123").is_ok());
        assert!(validate_parameter("user@example.com").is_ok());
        // Parameters with SQL-like content are OK since they'll be parameterized
        assert!(validate_parameter("'; DROP TABLE users; --").is_ok());
        assert!(validate_parameter("UNION SELECT").is_ok());
        
        // With escape-focused approach, null bytes are also OK
        assert!(validate_parameter("value with \0 null byte").is_ok());
    }

    #[test]
    fn test_identifier_whitelist() {
        let whitelist = IdentifierWhitelist::new(vec!["users", "posts", "comments"]);
        
        assert!(whitelist.validate("users").is_ok());
        assert!(whitelist.validate("posts").is_ok());
        assert!(whitelist.validate("admin_table").is_err());
        
        assert_eq!(whitelist.escape_if_allowed("users").unwrap(), "\"users\"");
        assert!(whitelist.escape_if_allowed("hacker_table").is_err());
    }
}