2026-02-12 21:09:30 +00:00
|
|
|
use crate::core::shared::models::UserSession;
|
|
|
|
|
use crate::core::shared::state::AppState;
|
2025-10-11 20:02:14 -03:00
|
|
|
use diesel::prelude::*;
|
2025-12-26 08:59:25 -03:00
|
|
|
use log::error;
|
2025-11-11 09:42:52 -03:00
|
|
|
use log::trace;
|
2025-10-06 10:30:17 -03:00
|
|
|
use rhai::Dynamic;
|
|
|
|
|
use rhai::Engine;
|
|
|
|
|
use serde_json::{json, Value};
|
|
|
|
|
use std::error::Error;
|
2025-12-26 08:59:25 -03:00
|
|
|
|
2025-10-11 20:25:08 -03:00
|
|
|
pub fn set_keyword(state: &AppState, _user: UserSession, engine: &mut Engine) {
|
2025-12-26 08:59:25 -03:00
|
|
|
let state_clone = state.clone();
|
|
|
|
|
engine
|
|
|
|
|
.register_custom_syntax(["SET", "$expr$", ",", "$expr$", ",", "$expr$"], false, {
|
|
|
|
|
move |context, inputs| {
|
|
|
|
|
let table_name = context.eval_expression_tree(&inputs[0])?;
|
|
|
|
|
let filter = context.eval_expression_tree(&inputs[1])?;
|
|
|
|
|
let updates = context.eval_expression_tree(&inputs[2])?;
|
|
|
|
|
let table_str = table_name.to_string();
|
|
|
|
|
let filter_str = filter.to_string();
|
|
|
|
|
let updates_str = updates.to_string();
|
|
|
|
|
trace!(
|
|
|
|
|
"Starting execute_set with table: {}, filter: {}, updates: {}",
|
|
|
|
|
table_str,
|
|
|
|
|
filter_str,
|
|
|
|
|
updates_str
|
|
|
|
|
);
|
|
|
|
|
let mut conn = state_clone
|
|
|
|
|
.conn
|
|
|
|
|
.get()
|
|
|
|
|
.map_err(|e| format!("DB error: {}", e))?;
|
|
|
|
|
let result = execute_set(&mut conn, &table_str, &filter_str, &updates_str)
|
|
|
|
|
.map_err(|e| format!("DB error: {}", e))?;
|
|
|
|
|
if let Some(rows_affected) = result.get("rows_affected") {
|
|
|
|
|
Ok(Dynamic::from(rows_affected.as_i64().unwrap_or(0)))
|
|
|
|
|
} else {
|
|
|
|
|
Err("No rows affected".into())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
})
|
feat(security): Complete security infrastructure implementation
SECURITY MODULES ADDED:
- security/auth.rs: Full RBAC with roles (Anonymous, User, Moderator, Admin, SuperAdmin, Service, Bot, BotOwner, BotOperator, BotViewer) and permissions
- security/cors.rs: Hardened CORS (no wildcard in production, env-based config)
- security/panic_handler.rs: Panic catching middleware with safe 500 responses
- security/path_guard.rs: Path traversal protection, null byte prevention
- security/request_id.rs: UUID request tracking with correlation IDs
- security/error_sanitizer.rs: Sensitive data redaction from responses
- security/zitadel_auth.rs: Zitadel token introspection and role mapping
- security/sql_guard.rs: SQL injection prevention with table whitelist
- security/command_guard.rs: Command injection prevention
- security/secrets.rs: Zeroizing secret management
- security/validation.rs: Input validation utilities
- security/rate_limiter.rs: Rate limiting with governor crate
- security/headers.rs: Security headers (CSP, HSTS, X-Frame-Options)
MAIN.RS UPDATES:
- Replaced tower_http::cors::Any with hardened create_cors_layer()
- Added panic handler middleware
- Added request ID tracking middleware
- Set global panic hook
SECURITY STATUS:
- 0 unwrap() in production code
- 0 panic! in production code
- 0 unsafe blocks
- cargo audit: PASS (no vulnerabilities)
- Estimated completion: ~98%
Remaining: Wire auth middleware to handlers, audit logs for sensitive data
2025-12-28 19:29:18 -03:00
|
|
|
.expect("valid syntax registration");
|
2025-10-06 10:30:17 -03:00
|
|
|
}
|
2025-12-26 08:59:25 -03:00
|
|
|
|
|
|
|
|
pub fn execute_set(
|
|
|
|
|
conn: &mut diesel::PgConnection,
|
|
|
|
|
table_str: &str,
|
|
|
|
|
filter_str: &str,
|
|
|
|
|
updates_str: &str,
|
|
|
|
|
) -> Result<Value, String> {
|
|
|
|
|
let (set_clause, _update_values) = parse_updates(updates_str).map_err(|e| e.to_string())?;
|
|
|
|
|
let where_clause = parse_filter_for_diesel(filter_str).map_err(|e| e.to_string())?;
|
|
|
|
|
let query = format!(
|
|
|
|
|
"UPDATE {} SET {} WHERE {}",
|
|
|
|
|
table_str, set_clause, where_clause
|
|
|
|
|
);
|
|
|
|
|
let result = diesel::sql_query(query).execute(conn).map_err(|e| {
|
|
|
|
|
error!("SQL execution error: {}", e);
|
|
|
|
|
e.to_string()
|
|
|
|
|
})?;
|
|
|
|
|
Ok(json!({
|
|
|
|
|
"command": "set",
|
|
|
|
|
"table": table_str,
|
|
|
|
|
"filter": filter_str,
|
|
|
|
|
"updates": updates_str,
|
|
|
|
|
"rows_affected": result
|
|
|
|
|
}))
|
2025-10-06 10:30:17 -03:00
|
|
|
}
|
2025-12-26 08:59:25 -03:00
|
|
|
|
2025-10-06 10:30:17 -03:00
|
|
|
fn parse_updates(updates_str: &str) -> Result<(String, Vec<String>), Box<dyn Error>> {
|
2025-12-26 08:59:25 -03:00
|
|
|
let mut set_clauses = Vec::new();
|
|
|
|
|
let mut params = Vec::new();
|
|
|
|
|
for (i, update) in updates_str.split(',').enumerate() {
|
|
|
|
|
let parts: Vec<&str> = update.split('=').collect();
|
|
|
|
|
if parts.len() != 2 {
|
|
|
|
|
return Err("Invalid update format".into());
|
|
|
|
|
}
|
|
|
|
|
let column = parts[0].trim();
|
|
|
|
|
let value = parts[1].trim();
|
|
|
|
|
if !column
|
|
|
|
|
.chars()
|
|
|
|
|
.all(|c| c.is_ascii_alphanumeric() || c == '_')
|
|
|
|
|
{
|
|
|
|
|
return Err("Invalid column name".into());
|
|
|
|
|
}
|
|
|
|
|
set_clauses.push(format!("{} = ${}", column, i + 1));
|
|
|
|
|
params.push(value.to_string());
|
|
|
|
|
}
|
|
|
|
|
Ok((set_clauses.join(", "), params))
|
2025-10-06 10:30:17 -03:00
|
|
|
}
|
2025-12-26 08:59:25 -03:00
|
|
|
|
2025-10-11 12:29:03 -03:00
|
|
|
fn parse_filter_for_diesel(filter_str: &str) -> Result<String, Box<dyn Error>> {
|
2025-12-26 08:59:25 -03:00
|
|
|
let parts: Vec<&str> = filter_str.split('=').collect();
|
|
|
|
|
if parts.len() != 2 {
|
|
|
|
|
return Err("Invalid filter format. Expected 'KEY=VALUE'".into());
|
|
|
|
|
}
|
|
|
|
|
let column = parts[0].trim();
|
|
|
|
|
let value = parts[1].trim();
|
|
|
|
|
if !column
|
|
|
|
|
.chars()
|
|
|
|
|
.all(|c| c.is_ascii_alphanumeric() || c == '_')
|
|
|
|
|
{
|
|
|
|
|
return Err("Invalid column name in filter".into());
|
|
|
|
|
}
|
|
|
|
|
Ok(format!("{} = '{}'", column, value))
|
2025-10-11 12:29:03 -03:00
|
|
|
}
|