PublicArchive/supabase
2
0
Fork 0
mirror of https://github.com/supabase/supabase.git synced 2026-05-06 17:00:27 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
0433eeb5f5cc6c41b80c85793a3b7be1fc976119
supabase/apps/studio/components/interfaces/QueryPerformance/useQueryPerformanceQuery.test.ts
T
Jordi Enric c689e91160 fix(observability): guard pg_stat_statements queries against missing extension FE-2843 (#44357) 
## Problem

On self-hosted Supabase instances where the `pg_stat_statements`
extension is not installed, the Observability Overview page
automatically queries the extension on every page load. This produces
"relation pg_stat_statements does not exist" errors in Postgres logs for
all projects without the extension. Additionally, if a user navigated to
the Query Performance page, they received a generic error with no
actionable guidance. A secondary issue allowed malformed sort URL params
(e.g. `?sort=created_at:asc&order=asc`) to be interpolated directly into
SQL ORDER BY clauses.

## Fix

- Wrapped the `useSlowQueriesCount` SQL in a `CASE WHEN EXISTS (SELECT 1
FROM pg_extension WHERE extname = 'pg_stat_statements')` guard. The
query now returns 0 silently instead of erroring when the extension is
absent.
- Added a `VALID_SORT_COLUMNS` whitelist in
`generateQueryPerformanceSql`. Invalid column names from URL params are
rejected and the query falls back to the preset default ORDER BY.
- When the Query Performance page fails because `pg_stat_statements`
does not exist, a `warning` admonition now appears with "Enable it in
Database -> Extensions" guidance instead of a generic destructive error.
The Sentry capture is skipped for this expected configuration state.
- Extracted `buildSlowQueriesCountSql` as a testable function and added
unit tests for both fixes.

## How to test

**Extension not installed (self-hosted):**
1. Run a self-hosted Supabase instance without the `pg_stat_statements`
extension enabled.
2. Navigate to the Observability Overview page.
3. Check Postgres logs -- no "relation pg_stat_statements does not
exist" errors should appear.
4. Navigate to the Query Performance page.
5. Expected: a yellow warning admonition appears saying the extension is
not enabled, with a link to Database -> Extensions. No red error.

**Extension installed (normal flow):**
1. With `pg_stat_statements` installed, navigate to Observability
Overview.
2. Expected: slow queries count loads as normal.
3. Navigate to Query Performance -- data loads as normal.

**Invalid sort URL param:**
1. Navigate to
`/project/<ref>/observability/query-performance?sort=created_at:asc&order=asc`.
2. Expected: the page loads and falls back to the default sort order
(total time descending). No SQL error in logs.

**Unit tests:**
```
node apps/studio/node_modules/vitest/dist/cli.js run --no-coverage \
  apps/studio/components/interfaces/Observability/useSlowQueriesCount.test.ts \
  apps/studio/components/interfaces/QueryPerformance/useQueryPerformanceQuery.test.ts
```
All 28 tests should pass.

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-31 17:23:39 +02:00

222 lines
7.3 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from 'vitest'
import { QueryPerformanceSort } from './QueryPerformance.types'
import { generateQueryPerformanceSql } from './useQueryPerformanceQuery'
describe('generateQueryPerformanceSql', () => {
it('generates sql with no filters', () => {
const result = generateQueryPerformanceSql({ preset: 'mostFrequentlyInvoked' })
expect(result.sql).toBeDefined()
expect(result.whereSql).toBe('')
expect(result.orderBySql).toBeUndefined()
})
it('generates ORDER BY clause', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
orderBy: { column: 'calls', order: 'desc' },
})
expect(result.orderBySql).toBe('ORDER BY calls desc')
})
it('filters by roles', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
roles: ['postgres', 'anon'],
})
expect(result.whereSql).toContain("auth.rolname in ('postgres', 'anon')")
})
it('filters by search query', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
searchQuery: 'SELECT',
})
expect(result.whereSql).toContain("statements.query ~* 'SELECT'")
})
it('filters by dashboard source only', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
sources: ['dashboard'],
})
expect(result.whereSql).toContain("statements.query ~* 'source: dashboard'")
})
it('filters by non-dashboard source only', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
sources: ['non-dashboard'],
})
expect(result.whereSql).toContain("statements.query !~* 'source: dashboard'")
})
it('does not add source filter when both sources are selected', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
sources: ['dashboard', 'non-dashboard'],
})
expect(result.whereSql).not.toContain('source: dashboard')
})
it('filters by minimum calls', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
minCalls: 10,
})
expect(result.whereSql).toContain('statements.calls >= 10')
})
it('does not filter by minCalls when 0', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
minCalls: 0,
})
expect(result.whereSql).not.toContain('statements.calls')
})
it('filters by minimum total time', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
minTotalTime: 500,
})
expect(result.whereSql).toContain(
'(statements.total_exec_time + statements.total_plan_time) >= 500'
)
})
it('combines multiple WHERE conditions with AND', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
roles: ['postgres'],
searchQuery: 'SELECT',
minCalls: 5,
})
expect(result.whereSql).toContain("auth.rolname in ('postgres')")
expect(result.whereSql).toContain("statements.query ~* 'SELECT'")
expect(result.whereSql).toContain('statements.calls >= 5')
expect(result.whereSql.split(' AND ').length).toBe(3)
})
it('passes WHERE clause to base sql function', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
roles: ['postgres'],
})
expect(result.sql).toContain('WHERE')
})
it('does not include user-defined WHERE conditions when no filters set', () => {
const result = generateQueryPerformanceSql({ preset: 'mostFrequentlyInvoked' })
expect(result.whereSql).toBe('')
// The base SQL may still contain its own WHERE clause (e.g. statements.calls > 0)
// but the user-defined whereSql should be empty
})
it('passes runIndexAdvisor and filterIndexAdvisor flags', () => {
const resultWithAdvisor = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
runIndexAdvisor: true,
filterIndexAdvisor: true,
})
expect(resultWithAdvisor.sql).toBeDefined()
})
it('works with different presets', () => {
const presets = [
'mostFrequentlyInvoked',
'mostTimeConsuming',
'slowestExecutionTime',
'queryHitRate',
'unified',
] as const
for (const preset of presets) {
const result = generateQueryPerformanceSql({ preset })
expect(result.sql).toBeDefined()
}
})
it('clamps page=0 to page=1 (no negative offset)', () => {
const result = generateQueryPerformanceSql({ preset: 'unified', page: 0, pageSize: 20 })
expect(result.sql).toContain('offset 0')
expect(result.sql).not.toMatch(/offset -\d/)
})
it('clamps negative page to page=1', () => {
const result = generateQueryPerformanceSql({ preset: 'unified', page: -5, pageSize: 20 })
expect(result.sql).toContain('offset 0')
})
it('clamps pageSize above 100 to 100', () => {
const result = generateQueryPerformanceSql({ preset: 'unified', page: 1, pageSize: 9999 })
expect(result.sql).toContain('limit 100')
expect(result.sql).not.toContain('limit 9999')
})
it('applies LIMIT and OFFSET for page 2', () => {
const result = generateQueryPerformanceSql({ preset: 'unified', page: 2, pageSize: 20 })
expect(result.sql).toContain('limit 20 offset 20')
})
it('does not produce NaN in SQL when page is NaN', () => {
const result = generateQueryPerformanceSql({ preset: 'unified', page: NaN, pageSize: 20 })
expect(result.sql).not.toContain('NaN')
expect(result.sql).toContain('offset 0')
})
it('does not produce NaN in SQL when pageSize is NaN', () => {
const result = generateQueryPerformanceSql({ preset: 'unified', page: 1, pageSize: NaN })
expect(result.sql).not.toContain('NaN')
expect(result.sql).toContain('limit 20')
})
})
describe('generateQueryPerformanceSql - ORDER BY column validation', () => {
it('rejects invalid orderBy column containing colon (old URL format)', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
orderBy: { column: 'created_at:asc' as any, order: 'desc' },
})
expect(result.orderBySql).toBeUndefined()
})
it('rejects SQL injection in orderBy column', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
orderBy: { column: 'calls; DROP TABLE users--' as any, order: 'asc' },
})
expect(result.orderBySql).toBeUndefined()
expect(result.sql).not.toContain('DROP TABLE')
})
it('falls back to default ORDER BY when column is invalid', () => {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
orderBy: { column: 'created_at:asc' as any, order: 'asc' },
})
expect(result.sql).toContain('order by statements.calls desc')
})
it('accepts all valid sort columns', () => {
const columns: QueryPerformanceSort['column'][] = [
'query',
'rolname',
'total_time',
'prop_total_time',
'calls',
'avg_rows',
'max_time',
'mean_time',
'min_time',
]
for (const column of columns) {
const result = generateQueryPerformanceSql({
preset: 'mostFrequentlyInvoked',
orderBy: { column, order: 'asc' },
})
expect(result.orderBySql).toBe(`ORDER BY ${column} asc`)
}
})
})
Reference in New Issue View Git Blame Copy Permalink