Documentation
¶
Index ¶
- Variables
- func EnsureReadOnly(kind config.DBKind, sql string) error
- func IsWhitelisted(ctx context.Context) bool
- func WithWhitelist(ctx context.Context) context.Context
- type DeleteWithoutWhereRule
- type DropStatementRule
- type Guard
- type GuardError
- type Rule
- type TruncateStatementRule
- type UpdateWithoutWhereRule
- type Violation
Constants ¶
This section is empty.
Variables ¶
Functions ¶
func EnsureReadOnly ¶ added in v0.28.0
EnsureReadOnly verifies that sql consists solely of read-only statements (SELECT/SHOW/DESCRIBE) for the given dialect. Unlike Check it fails closed: a parse error, an empty statement list, or any non-read statement returns an error. It also rejects data-modifying CTEs (e.g. WITH x AS (DELETE ... RETURNING ...) SELECT ...), whose top-level type is SELECT but which execute writes, and dialect-specific side-effecting functions (see dangerousFunctionsByKind). It is intended for surfaces that execute caller-supplied SQL, such as the MCP database query tool. kind selects which dangerous-function denylist applies.
func IsWhitelisted ¶
IsWhitelisted returns true if the context is marked to skip SQL guard checks.
Types ¶
type DeleteWithoutWhereRule ¶
type DeleteWithoutWhereRule struct{}
DeleteWithoutWhereRule blocks DELETE statements without WHERE clause.
func (*DeleteWithoutWhereRule) Check ¶
func (r *DeleteWithoutWhereRule) Check(astNode *ast.AST) *Violation
func (*DeleteWithoutWhereRule) Name ¶
func (*DeleteWithoutWhereRule) Name() string
type DropStatementRule ¶
type DropStatementRule struct{}
DropStatementRule blocks DROP statements.
func (*DropStatementRule) Name ¶
func (*DropStatementRule) Name() string
type Guard ¶
type Guard struct {
// contains filtered or unexported fields
}
Guard coordinates sql rule checking.
func NewGuard ¶
NewGuard creates a new sql guard with the given rules. If no rules are provided, the default rules are used.
func (*Guard) Check ¶
Check validates the sql statement against all rules. Returns nil if the sql is safe, or an error if a violation is detected. Unlike EnsureReadOnly it fails OPEN: SQL that the parser cannot understand is allowed through, because Check is a best-effort developer write-guardrail (the opt-in query hook), not a security sandbox. The authoritative protection for untrusted SQL is a least-privilege database role.
type GuardError ¶
GuardError wraps a sql guard error with additional context.
func (*GuardError) Error ¶
func (e *GuardError) Error() string
func (*GuardError) Unwrap ¶
func (e *GuardError) Unwrap() error
type Rule ¶
type Rule interface {
// Name returns the rule identifier (e.g., "no_drop", "no_truncate").
Name() string
// Check inspects the SQL AST and returns a Violation if the rule is violated, or nil if it passes.
Check(astNode *ast.AST) *Violation
}
Rule defines the interface for SQL checking rules.
func DefaultRules ¶
func DefaultRules() []Rule
DefaultRules returns the default set of SQL checking rules.
type TruncateStatementRule ¶
type TruncateStatementRule struct{}
TruncateStatementRule blocks TRUNCATE statements.
func (*TruncateStatementRule) Check ¶
func (r *TruncateStatementRule) Check(astNode *ast.AST) *Violation
func (*TruncateStatementRule) Name ¶
func (*TruncateStatementRule) Name() string
type UpdateWithoutWhereRule ¶ added in v0.29.0
type UpdateWithoutWhereRule struct{}
UpdateWithoutWhereRule blocks UPDATE statements without WHERE clause.
func (*UpdateWithoutWhereRule) Check ¶ added in v0.29.0
func (r *UpdateWithoutWhereRule) Check(astNode *ast.AST) *Violation
func (*UpdateWithoutWhereRule) Name ¶ added in v0.29.0
func (*UpdateWithoutWhereRule) Name() string