lib/gitlab/database/query_analyzers/gitlab_schemas_validate_connection.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

# frozen_string_literal: true

module Gitlab
  module Database
    module QueryAnalyzers
      # The purpose of this analyzer is to validate if tables observed
      # are properly used according to schema used by current connection
      class GitlabSchemasValidateConnection < Base
        CrossSchemaAccessError = Class.new(QueryAnalyzerError)

        class << self
          def enabled?
            true
          end

          def analyze(parsed)
            tables = parsed.pg.select_tables + parsed.pg.dml_tables
            table_schemas = ::Gitlab::Database::GitlabSchema.table_schemas(tables)
            return if table_schemas.empty?

            allowed_schemas = ::Gitlab::Database.gitlab_schemas_for_connection(parsed.connection)
            return unless allowed_schemas

            invalid_schemas = table_schemas - allowed_schemas
            if invalid_schemas.any?
              message = "The query tried to access #{tables} (of #{table_schemas.to_a}) "
              message += "which is outside of allowed schemas (#{allowed_schemas}) "
              message += "for the current connection '#{Gitlab::Database.db_config_name(parsed.connection)}'"

              raise CrossSchemaAccessError, message
            end
          end
        end
      end
    end
  end
end