feat(week1): complete foundation - schema, migrations, enhanced SQL, sanitizer

src/lib/db/sanitizer.ts

@@ -0,0 +1,135 @@
+/**
+ * SQL Sanitizer - The Last Line of Defense
+ * Validates raw SQL before execution to prevent catastrophic accidents
+ */
+
+export interface SanitizationResult {
+    safe: boolean;
+    warnings: string[];
+    blocked?: string;
+}
+
+// Dangerous patterns that should NEVER be allowed
+const BLOCKED_PATTERNS = [
+    /DROP\s+DATABASE/i,
+    /DROP\s+SCHEMA/i,
+    /ALTER\s+USER/i,
+    /ALTER\s+ROLE/i,
+    /CREATE\s+USER/i,
+    /CREATE\s+ROLE/i,
+    /GRANT\s+.*\s+TO/i,
+    /REVOKE\s+.*\s+FROM/i,
+];
+
+// Patterns that require special attention
+const WARNING_PATTERNS = [
+    { pattern: /TRUNCATE/i, message: 'TRUNCATE detected - use with caution' },
+    { pattern: /DROP\s+TABLE/i, message: 'DROP TABLE detected - irreversible' },
+    { pattern: /DELETE\s+FROM\s+\w+\s*;/i, message: 'DELETE without WHERE clause - will delete ALL rows' },
+    { pattern: /UPDATE\s+\w+\s+SET\s+.*\s*;/i, message: 'UPDATE without WHERE clause - will update ALL rows' },
+];
+
+/**
+ * Validate table name is safe (alphanumeric + underscores only)
+ */
+export function validateTableName(tableName: string): boolean {
+    return /^[a-zA-Z0-9_]+$/.test(tableName);
+}
+
+/**
+ * Sanitize raw SQL before execution
+ */
+export function sanitizeSQL(sql: string): SanitizationResult {
+    const trimmed = sql.trim();
+    const warnings: string[] = [];
+
+    // Check for blocked patterns
+    for (const pattern of BLOCKED_PATTERNS) {
+        if (pattern.test(trimmed)) {
+            return {
+                safe: false,
+                warnings: [],
+                blocked: `Blocked dangerous command: ${pattern.source}`
+            };
+        }
+    }
+
+    // Check for warning patterns
+    for (const { pattern, message } of WARNING_PATTERNS) {
+        if (pattern.test(trimmed)) {
+            warnings.push(message);
+        }
+    }
+
+    // Validate table names in common operations
+    const tableMatches = trimmed.match(/(?:FROM|INTO|UPDATE|TRUNCATE|DROP TABLE)\s+([a-zA-Z0-9_]+)/gi);
+    if (tableMatches) {
+        for (const match of tableMatches) {
+            const tableName = match.split(/\s+/).pop() || '';
+            if (!validateTableName(tableName)) {
+                return {
+                    safe: false,
+                    warnings: [],
+                    blocked: `Invalid table name: ${tableName}`
+                };
+            }
+        }
+    }
+
+    return {
+        safe: true,
+        warnings
+    };
+}
+
+/**
+ * Extract table names from SQL query
+ */
+export function extractTableNames(sql: string): string[] {
+    const matches = sql.match(/(?:FROM|INTO|UPDATE|TRUNCATE|DROP TABLE)\s+([a-zA-Z0-9_]+)/gi);
+    if (!matches) return [];
+
+    return matches.map(m => m.split(/\s+/).pop() || '').filter(Boolean);
+}
+
+/**
+ * Check if SQL contains WHERE clause
+ */
+export function hasWhereClause(sql: string): boolean {
+    return /WHERE\s+/i.test(sql);
+}
+
+/**
+ * More permissive check for maintenance window
+ * Used when run_mechanic flag is set
+ */
+export function sanitizeSQLForMaintenance(sql: string): SanitizationResult {
+    const trimmed = sql.trim();
+    const warnings: string[] = [];
+
+    // Still block the most dangerous commands
+    const criticalPatterns = [
+        /DROP\s+DATABASE/i,
+        /DROP\s+SCHEMA/i,
+        /ALTER\s+USER/i,
+        /CREATE\s+USER/i,
+    ];
+
+    for (const pattern of criticalPatterns) {
+        if (pattern.test(trimmed)) {
+            return {
+                safe: false,
+                warnings: [],
+                blocked: `Blocked critical command even in maintenance mode: ${pattern.source}`
+            };
+        }
+    }
+
+    // Allow TRUNCATE and DROP TABLE in maintenance mode
+    warnings.push('Maintenance mode: dangerous operations allowed');
+
+    return {
+        safe: true,
+        warnings
+    };
+}