Security: prevent execution of write SQL statements

Faycal Bououza · Faycal Bououza · commit 495158533c84 · 2025-11-07T12:22:19.000+01:00
diff --git a/main.go b/main.go
@@ -157,6 +157,10 @@ func runExport(cmd *cobra.Command, args []string) error {
 		logger.Debug("Using inline SQL query (%d characters)", len(query))
 	}
 
+	if err := validateQuery(query); err != nil {
+		return err
+	}
+
 	format = strings.ToLower(strings.TrimSpace(format))
 
 	var delimRune rune = ','
diff --git a/store.go b/store.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/url"
+	"strings"
 	"time"
 
 	"github.com/fbz-tec/pgexport/logger"
@@ -119,3 +120,38 @@ func sanitizeURL(dbUrl string) string {
 
 	return fmt.Sprintf("%s://%s%s%s", u.Scheme, userInfo, u.Host, path)
 }
+
+// ValidateQuery checks if the query is safe for export (read-only)
+func validateQuery(query string) error {
+	// Normalize query to uppercase for checking
+	normalized := strings.ToUpper(strings.TrimSpace(query))
+
+	// List of forbidden SQL commands
+	forbiddenCommands := []string{
+		"DELETE",
+		"DROP",
+		"TRUNCATE",
+		"INSERT",
+		"UPDATE",
+		"ALTER",
+		"CREATE",
+		"GRANT",
+		"REVOKE",
+	}
+
+	// Check if query starts with forbidden command
+	for _, cmd := range forbiddenCommands {
+		if strings.HasPrefix(normalized, cmd) {
+			return fmt.Errorf("forbidden SQL command detected: %s (read-only mode)", cmd)
+		}
+	}
+
+	// Additional check: detect forbidden keywords anywhere in query
+	for _, cmd := range forbiddenCommands {
+		if strings.Contains(normalized, cmd+" ") || strings.Contains(normalized, cmd+";") {
+			return fmt.Errorf("forbidden SQL command detected in query: %s", cmd)
+		}
+	}
+
+	return nil
+}
diff --git a/store_test.go b/store_test.go
@@ -367,6 +367,49 @@ func TestConnectionReuse(t *testing.T) {
 	}
 }
 
+func TestValidateQuery(t *testing.T) {
+	tests := []struct {
+		name    string
+		query   string
+		wantErr bool
+	}{
+		{
+			name:    "valid SELECT",
+			query:   "SELECT * FROM users",
+			wantErr: false,
+		},
+		{
+			name:    "forbidden DELETE",
+			query:   "DELETE FROM users",
+			wantErr: true,
+		},
+		{
+			name:    "forbidden DROP",
+			query:   "DROP TABLE users",
+			wantErr: true,
+		},
+		{
+			name:    "chained DELETE",
+			query:   "SELECT 1; DELETE FROM users",
+			wantErr: true,
+		},
+		{
+			name:    "lowercase delete",
+			query:   "delete from users",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateQuery(tt.query)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("validateQuery() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
 // Helper function to get test database URL from environment
 // Set DB_TEST_URL environment variable to run integration tests
 // Example: export DB_TEST_URL="postgres://user:pass@localhost:5432/testdb"

Original file line number	Diff line number	Diff line change
`@@ -157,6 +157,10 @@ func runExport(cmd *cobra.Command, args []string) error {`
`157`	`157`	`logger.Debug("Using inline SQL query (%d characters)", len(query))`
`158`	`158`	`}`
`159`	`159`
	`160`	`+ if err := validateQuery(query); err != nil {`
	`161`	`+ return err`
	`162`	`+ }`
	`163`	`+`
`160`	`164`	`format = strings.ToLower(strings.TrimSpace(format))`
`161`	`165`
`162`	`166`	`var delimRune rune = ','`