Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

fix: rename explainQuery to unsafeExplainQuery, implement and use safeExplainQuery#225

Merged
divyenduz merged 7 commits intomainfrom
unsafe_explain
Sep 26, 2025
Merged

fix: rename explainQuery to unsafeExplainQuery, implement and use safeExplainQuery#225
divyenduz merged 7 commits intomainfrom
unsafe_explain

Conversation

@divyenduz
Copy link
Contributor

@divyenduz divyenduz commented Sep 25, 2025
edited
Loading

Related discussion #223

We already improved it in #224, this PR makes it more secure by

  1. Renaming explainQuery to unsafeExplainQuery while the single query check and transaction wrapping is pretty secure already, there might be edge cases where a query escapes the designated boundaries. Therefore, we rename the tool to unsafeExplainQuery
  2. Create a new tool called safeExplainQuery, this operates on queryId and fetches the actual SQL from pg_stat_statements table itself thereby eliminating the code path that can lead to any SQL injection. This is done in the following stacked PR Implement safe explain #226
  3. Use the new safeExplainQuery tool instead of unsafeExplainQuery, to make it work, we had to additionally return queryId from getSlowQueries tool in addition to the slow SQL query. This is done in the following stacked PR Use safe explain tool #227

@vercel
Copy link
Contributor

vercel bot commented Sep 25, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Updated (UTC)
agent Ready Ready Preview Sep 26, 2025 5:48pm

This was referenced Sep 25, 2025
Merged
Merged
@divyenduz divyenduz marked this pull request as ready for review September 25, 2025 19:44
divyenduz added a commit that referenced this pull request Sep 26, 2025
@divyenduz
Use safe explain tool (#227)
e4d4887 
See #225
@divyenduz divyenduz enabled auto-merge September 26, 2025 17:46
@divyenduz divyenduz added this pull request to the merge queue Sep 26, 2025
Merged via the queue into main with commit e330e8c Sep 26, 2025
6 checks passed
@divyenduz divyenduz deleted the unsafe_explain branch September 26, 2025 17:51
@divyenduz divyenduz changed the title fix: rename explainQuery to unsafeExplainQuery fix: rename explainQuery to unsafeExplainQuery, implement and use safeExplainQuery Sep 26, 2025
@divyenduz divyenduz mentioned this pull request Sep 28, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tsg tsg tsg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@divyenduz @tsg