supabase

PublicArchive/supabase

Fork 0

mirror of https://github.com/supabase/supabase.git synced 2026-06-29 03:50:30 -04:00

Commit Graph

Author	SHA1	Message	Date
Charis	a7d51cdf52	feat(logs): brand legacy analytics SQL stack with SafeLogSqlFragment (#46351 ) ## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Refactor / type safety improvement ## What is the current behavior? The legacy log query stack (`genDefaultQuery`, `genCountQuery`, `genChartQuery`, `genWhereStatement`, `useLogsPreview`, `useSingleLog`) builds SQL from raw strings with no type-level guarantee that values are safely interpolated. Identifier helpers (`bqIdent`, `bqDottedIdent`, `clickhouseIdent`, `clickhouseDottedIdent`) are duplicated across BigQuery and ClickHouse variants, and `bqDottedIdent` wraps the entire dotted path in one backtick pair (`` `request.pathname` ``), which BigQuery treats as a literal column name rather than a UNNEST alias field — causing runtime query failures on dotted filter keys. ## What is the new behavior? - All gen functions return `SafeLogSqlFragment` and all callers route through `executeAnalyticsSql`, enforcing compile-time SQL provenance tracking across the legacy stack. - `bqIdent` / `bqDottedIdent` / `clickhouseIdent` / `clickhouseDottedIdent` are replaced by a single `quotedIdent` function that backtick-quotes each segment individually (e.g. `` `request`.`pathname` ``). ClickHouse natively accepts backticks, so one function serves both engines and the dotted-path quoting bug is fixed. - `SQL_FILTER_TEMPLATES` entries are converted to `SafeLogSqlFragment` (static via `safeSql`, dynamic via `safeSql` + `analyticsLiteral`). - `buildWhereClauses` is extracted as a private helper returning `SafeLogSqlFragment[]` so the pg_cron path can merge clauses without unsafe slice-and-cast. ## Additional context <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Refactor * Logs query generation migrated to safer, engine-agnostic SQL fragments, typed filter templates, and unified identifier quoting for stronger injection protection and more consistent queries. * Logs preview and single-log retrieval now execute analytics SQL end-to-end using the unified executor. * New Features * Analytics SQL executor can call the backend via GET or POST and accepts method selection. * Tests * Updated tests to validate unified identifier quoting and safe-SQL helper behavior. <!-- review_stack_entry_start --> [![Review Change Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46351?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-05-26 15:20:54 -04:00
Charis	d117e70f6c	feat: add safe SQL execution for analytics queries (BigQuery/ClickHouse) (#46287 ) ## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Feature - Security infrastructure ## What is the current behavior? Analytics queries (BigQuery for legacy cloud, ClickHouse for self-hosted OTEL) lack a compile-time safety model to prevent SQL injection from untrusted input sources like URL parameters, UI inputs, or LLM output. ## What is the new behavior? Implement a security model with a branded type `SafeLogSqlFragment` that ensures all SQL fragments originate from either static code or sanitization helpers. This includes: - `analyticsLiteral()` for escaping string/number/boolean values - `bqIdent()` and `clickhouseIdent()` for quoting identifiers with engine-specific syntax - `safeSql` template tag for composing fragments safely - `executeAnalyticsSql()` wire boundary that rejects plain strings at compile time The pattern prevents cross-engine confusion by keeping `SafeLogSqlFragment` (analytics) distinct from pg-meta's `SafeSqlFragment` (Postgres). ## Additional context <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Introduced analytics SQL execution capabilities with built-in safety validation for queries. * Enhanced query robustness through keyword and identifier validation mechanisms. * Improved error handling and reporting for analytics operations. * Tests * Added comprehensive test suite for analytics SQL safety and validation utilities. <!-- review_stack_entry_start --> [![Review Change Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46287?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-05-25 08:40:18 -04:00

Author

SHA1

Message

Date

Charis

a7d51cdf52

feat(logs): brand legacy analytics SQL stack with SafeLogSqlFragment (#46351 )

## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Refactor / type safety improvement

## What is the current behavior?

The legacy log query stack (`genDefaultQuery`, `genCountQuery`,
`genChartQuery`, `genWhereStatement`, `useLogsPreview`, `useSingleLog`)
builds SQL from raw strings with no type-level guarantee that values are
safely interpolated. Identifier helpers (`bqIdent`, `bqDottedIdent`,
`clickhouseIdent`, `clickhouseDottedIdent`) are duplicated across
BigQuery and ClickHouse variants, and `bqDottedIdent` wraps the entire
dotted path in one backtick pair (`` `request.pathname` ``), which
BigQuery treats as a literal column name rather than a UNNEST alias
field — causing runtime query failures on dotted filter keys.

## What is the new behavior?

- All gen functions return `SafeLogSqlFragment` and all callers route
through `executeAnalyticsSql`, enforcing compile-time SQL provenance
tracking across the legacy stack.
- `bqIdent` / `bqDottedIdent` / `clickhouseIdent` /
`clickhouseDottedIdent` are replaced by a single `quotedIdent` function
that backtick-quotes each segment individually (e.g. ``
`request`.`pathname` ``). ClickHouse natively accepts backticks, so one
function serves both engines and the dotted-path quoting bug is fixed.
- `SQL_FILTER_TEMPLATES` entries are converted to `SafeLogSqlFragment`
(static via `safeSql`, dynamic via `safeSql` + `analyticsLiteral`).
- `buildWhereClauses` is extracted as a private helper returning
`SafeLogSqlFragment[]` so the pg_cron path can merge clauses without
unsafe slice-and-cast.

## Additional context

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Logs query generation migrated to safer, engine-agnostic SQL
fragments, typed filter templates, and unified identifier quoting for
stronger injection protection and more consistent queries.
* Logs preview and single-log retrieval now execute analytics SQL
end-to-end using the unified executor.

* **New Features**
* Analytics SQL executor can call the backend via GET or POST and
accepts method selection.

* **Tests**
* Updated tests to validate unified identifier quoting and safe-SQL
helper behavior.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46351?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

2026-05-26 15:20:54 -04:00

Charis

d117e70f6c

feat: add safe SQL execution for analytics queries (BigQuery/ClickHouse) (#46287 )

## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Feature - Security infrastructure

## What is the current behavior?

Analytics queries (BigQuery for legacy cloud, ClickHouse for self-hosted
OTEL) lack a compile-time safety model to prevent SQL injection from
untrusted input sources like URL parameters, UI inputs, or LLM output.

## What is the new behavior?

Implement a security model with a branded type `SafeLogSqlFragment` that
ensures all SQL fragments originate from either static code or
sanitization helpers. This includes:

- `analyticsLiteral()` for escaping string/number/boolean values
- `bqIdent()` and `clickhouseIdent()` for quoting identifiers with
engine-specific syntax
- `safeSql` template tag for composing fragments safely
- `executeAnalyticsSql()` wire boundary that rejects plain strings at
compile time

The pattern prevents cross-engine confusion by keeping
`SafeLogSqlFragment` (analytics) distinct from pg-meta's
`SafeSqlFragment` (Postgres).

## Additional context

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Introduced analytics SQL execution capabilities with built-in safety
validation for queries.
* Enhanced query robustness through keyword and identifier validation
mechanisms.
  * Improved error handling and reporting for analytics operations.

* **Tests**
* Added comprehensive test suite for analytics SQL safety and validation
utilities.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46287?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

2026-05-25 08:40:18 -04:00

2 Commits