sqlite: read & write keywords

2024-12-18 22:21:50 +03:00 · 2023-12-20 15:55:15 -03:00 · 2023-12-20 15:55:15 -03:00 · 060a0a0a94
commit 060a0a0a94
parent 3b48b0cb63
1 changed files with 40 additions and 1 deletions
--- a/src/sqlite.rs
+++ b/src/sqlite.rs
@ -2,13 +2,33 @@ use anyhow::Result;
 use dashmap::DashMap;
 use rusqlite::types::{FromSql, FromSqlError, ToSql, ValueRef};
 use rusqlite::Connection;
-use std::collections::{HashMap, VecDeque};
+use std::collections::{HashMap, HashSet, VecDeque};
 use std::sync::Arc;
 use tokio::fs;
 use tokio::sync::Mutex;

 use crate::types::*;

+lazy_static::lazy_static! {
+    static ref READ_KEYWORDS: HashSet<String> = {
+        let mut set = HashSet::new();
+        let keywords = ["ANALYZE", "ATTACH", "BEGIN", "EXPLAIN", "PRAGMA", "SELECT", "VALUES", "WITH"];
+        for &keyword in &keywords {
+            set.insert(keyword.to_string());
+        }
+        set
+    };
+
+    static ref WRITE_KEYWORDS: HashSet<String> = {
+        let mut set = HashSet::new();
+        let keywords = ["ALTER", "ANALYZE", "COMMIT", "CREATE", "DELETE", "DETACH", "DROP", "END", "INSERT", "REINDEX", "RELEASE", "RENAME", "REPLACE", "ROLLBACK", "SAVEPOINT", "UPDATE", "VACUUM"];
+        for &keyword in &keywords {
+            set.insert(keyword.to_string());
+        }
+        set
+    };
+}
+
 pub async fn sqlite(
    our_node: String,
    send_to_loop: MessageSender,
@ -57,6 +77,7 @@ pub async fn sqlite(
                let send_to_terminal = send_to_terminal.clone();
                let send_to_loop = send_to_loop.clone();
                let open_dbs = open_dbs.clone();
+
                let txs = txs.clone();
                let sqlite_path = sqlite_path.clone();

@ -149,6 +170,14 @@ async fn handle_request(
                }
            };
            let db = db.lock().await;
+            let first_word = query
+                .split_whitespace()
+                .next()
+                .map(|word| word.to_uppercase())
+                .unwrap_or("".to_string());
+            if !READ_KEYWORDS.contains(&first_word) {
+                return Err(SqliteError::NotAReadKeyword.into());
+            }

            let parameters = get_json_params(payload)?;

@ -196,6 +225,16 @@ async fn handle_request(
            };
            let db = db.lock().await;

+            let first_word = statement
+                .split_whitespace()
+                .next()
+                .map(|word| word.to_uppercase())
+                .unwrap_or("".to_string());
+
+            if !WRITE_KEYWORDS.contains(&first_word) {
+                return Err(SqliteError::NotAWriteKeyword.into());
+            }
+
            let parameters = get_json_params(payload)?;

            match tx_id {