Fix Postgres login, improve testing suite (#545)

* remove validation input for now

* aim to fix the mysql/mariadb bug where update doesn't properly create the query

* added views back to pg query

* fix e2e dropdown selection, add coverage to cypress, add setup/cleanup shell scripts for cypress

* modify postgres password handling to use pgx config builder

* tidy

* add go coverage

* remove the sqlite test db

* add initial redis support for zset

* add redis to e2e docker compose

* update existing test + fix dropdown selection

* add redis e2e tests

* add elasticsearch to e2e docker compose

* update elasticsearch init

* elasticsearch e2e tests

Author: modelorona

.gitignore

@@ -4,4 +4,8 @@
 DS_Store
 .DS_Store
 __debug*
-*.db
+*.db
+frontend/coverage
+frontend/.nyc_output
+tmp/
+core/tmp/

core/go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/go-sql-driver/mysql v1.9.2
 	github.com/google/uuid v1.6.0
+	github.com/jackc/pgx/v5 v5.5.5
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/vektah/gqlparser/v2 v2.5.28
@@ -44,7 +45,6 @@ require (
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
-	github.com/jackc/pgx/v5 v5.5.5 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect

core/server_test.go

@@ -0,0 +1,87 @@
+/*
+ * Copyright 2025 Clidey, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package main
+
+import (
+	"context"
+	"embed"
+	"fmt"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"testing"
+	"time"
+
+	"github.com/clidey/whodb/core/src"
+	"github.com/clidey/whodb/core/src/log"
+	"github.com/clidey/whodb/core/src/router"
+	"github.com/pkg/errors"
+)
+
+//go:embed build/*
+var staticFilesTest embed.FS
+
+const defaultPortTest = "8080"
+
+var srv *http.Server
+
+func TestMain(m *testing.M) {
+	log.Logger.Info("Starting WhoDB in test mode (Ctrl+C to exit)...")
+
+	src.InitializeEngine()
+	r := router.InitializeRouter(staticFilesTest)
+
+	port := os.Getenv("PORT")
+	if port == "" {
+		port = defaultPortTest
+	}
+
+	srv = &http.Server{
+		Addr:              fmt.Sprintf(":%s", port),
+		Handler:           r,
+		ReadHeaderTimeout: 5 * time.Second,
+		ReadTimeout:       10 * time.Second,
+		WriteTimeout:      1 * time.Minute,
+		IdleTimeout:       30 * time.Second,
+	}
+
+	go func() {
+		log.Logger.Info("Server starting...")
+		if err := srv.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
+			log.Logger.Fatalf("listen: %s", err)
+			os.Exit(1)
+		}
+	}()
+
+	log.Logger.Infof("🎉 WhoDB test server running at http://localhost:%s 🎉", port)
+
+	// Wait for SIGINT (Ctrl+C) or SIGTERM
+	quit := make(chan os.Signal, 1)
+	signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM)
+	<-quit
+	log.Logger.Info("Received shutdown signal (Ctrl+C). Shutting down...")
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	if err := srv.Shutdown(ctx); err != nil {
+		log.Logger.Errorf("Graceful shutdown failed: %v", err)
+	}
+
+	log.Logger.Info("Test server shut down. Exiting and writing coverage.")
+	os.Exit(m.Run())
+}

core/src/plugins/gorm/plugin.go

@@ -180,7 +180,7 @@ func (p *GormPlugin) applyWhereConditions(query *gorm.DB, condition *model.Where
 			if err != nil {
 				return nil, err
 			}
-			query = query.Where(fmt.Sprintf("%s = ?", condition.Atomic.Key), value)
+			query = query.Where(fmt.Sprintf("%s = ?", p.EscapeIdentifier(condition.Atomic.Key)), value)
 		}
 
 	case model.WhereConditionTypeAnd:

core/src/plugins/gorm/update.go

@@ -19,6 +19,7 @@ package gorm_plugin
 import (
 	"errors"
 	"fmt"
+
 	"github.com/clidey/whodb/core/src/common"
 	"github.com/clidey/whodb/core/src/engine"
 	"github.com/clidey/whodb/core/src/plugins"
@@ -74,9 +75,17 @@ func (p *GormPlugin) UpdateStorageUnit(config *engine.PluginConfig, schema strin
 
 		var result *gorm.DB
 		if len(conditions) == 0 {
-			result = db.Table(tableName).Where(unchangedValues).Updates(convertedValues)
+			if p.Type == engine.DatabaseType_MySQL || p.Type == engine.DatabaseType_MariaDB {
+				result = p.executeUpdateWithWhereMap(db, tableName, unchangedValues, convertedValues)
+			} else {
+				result = db.Table(tableName).Where(unchangedValues).Updates(convertedValues)
+			}
 		} else {
-			result = db.Table(tableName).Where(conditions, nil).Updates(convertedValues)
+			if p.Type == engine.DatabaseType_MySQL || p.Type == engine.DatabaseType_MariaDB {
+				result = p.executeUpdateWithWhereMap(db, tableName, conditions, convertedValues)
+			} else {
+				result = db.Table(tableName).Where(conditions, nil).Updates(convertedValues)
+			}
 		}
 
 		if result.Error != nil {
@@ -91,3 +100,17 @@ func (p *GormPlugin) UpdateStorageUnit(config *engine.PluginConfig, schema strin
 		return true, nil
 	})
 }
+
+// weird bug for mysql/mariadb driver where the where clause is not properly escaped, so have to do it manually below
+// should be fine as it still uses the query builder
+// todo: need to investigate underlying driver to see what's going on
+func (p *GormPlugin) executeUpdateWithWhereMap(db *gorm.DB, tableName string, whereConditions map[string]interface{}, updateValues map[string]interface{}) *gorm.DB {
+	query := db.Table(tableName)
+
+	for column, value := range whereConditions {
+		escapedColumn := p.EscapeIdentifier(column)
+		query = query.Where(fmt.Sprintf("%s = ?", escapedColumn), value)
+	}
+
+	return query.Updates(updateValues)
+}

core/src/plugins/postgres/db.go

@@ -17,122 +17,43 @@
 package postgres
 
 import (
-	"fmt"
-	"net"
-	"net/url"
-	"regexp"
-	"strconv"
-
 	"github.com/clidey/whodb/core/src/engine"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/stdlib"
 	"gorm.io/driver/postgres"
 	"gorm.io/gorm"
 )
 
-// validateInput uses allowlist validation to ensure only safe characters are used
-// This prevents all forms of injection and path traversal attacks
-func validateInput(input, inputType string) error {
-	if len(input) == 0 {
-		return fmt.Errorf("%s cannot be empty", inputType)
-	}
-	
-	// Define allowlist patterns for different input types
-	var allowedPattern *regexp.Regexp
-	var maxLength int
-	
-	switch inputType {
-	case "database":
-		// Database names: only alphanumeric, underscore, hyphen (no dots to prevent traversal)
-		allowedPattern = regexp.MustCompile(`^[a-zA-Z0-9_-]+$`)
-		maxLength = 63 // PostgreSQL database name limit
-	case "hostname":
-		// Hostnames: alphanumeric, dots, hyphens (standard hostname characters)
-		allowedPattern = regexp.MustCompile(`^[a-zA-Z0-9.-]+$`)
-		maxLength = 253 // RFC hostname limit
-	case "username":
-		// Usernames: alphanumeric and underscore only
-		allowedPattern = regexp.MustCompile(`^[a-zA-Z0-9_]+$`)
-		maxLength = 63 // PostgreSQL username limit
-	default:
-		return fmt.Errorf("unknown input type: %s", inputType)
-	}
-	
-	// Check length
-	if len(input) > maxLength {
-		return fmt.Errorf("%s too long: maximum %d characters", inputType, maxLength)
-	}
-	
-	// Check against allowlist pattern
-	if !allowedPattern.MatchString(input) {
-		return fmt.Errorf("invalid %s: contains disallowed characters (only alphanumeric, underscore, hyphen allowed)", inputType)
-	}
-	
-	return nil
-}
-
 func (p *PostgresPlugin) DB(config *engine.PluginConfig) (*gorm.DB, error) {
 	connectionInput, err := p.ParseConnectionConfig(config)
 	if err != nil {
 		return nil, err
 	}
 
-	// Validate all connection parameters using allowlist validation
-	if err := validateInput(connectionInput.Hostname, "hostname"); err != nil {
-		return nil, fmt.Errorf("hostname validation failed: %w", err)
-	}
-
-	if err := validateInput(connectionInput.Database, "database"); err != nil {
-		return nil, fmt.Errorf("database validation failed: %w", err)
-	}
-
-	if err := validateInput(connectionInput.Username, "username"); err != nil {
-		return nil, fmt.Errorf("username validation failed: %w", err)
+	pgxConfig, err := pgx.ParseConfig("")
+	if err != nil {
+		return nil, err
 	}
 
-	// Construct PostgreSQL URL securely using url.URL struct
-	u := &url.URL{
-		Scheme: "postgresql",
-		User:   url.UserPassword(connectionInput.Username, connectionInput.Password),
-		Host:   net.JoinHostPort(connectionInput.Hostname, strconv.Itoa(connectionInput.Port)),
-		Path:   "/" + connectionInput.Database,
-	}
+	pgxConfig.Host = connectionInput.Hostname
+	pgxConfig.Port = uint16(connectionInput.Port)
+	pgxConfig.User = connectionInput.Username
+	pgxConfig.Password = connectionInput.Password
+	pgxConfig.Database = connectionInput.Database
 
-	// Add query parameters securely
-	q := u.Query()
-	q.Set("sslmode", "prefer")
-	
-	// Validate and add extra options as query parameters (allowlist approach)
 	if connectionInput.ExtraOptions != nil {
-		allowedOptions := map[string]bool{
-			"sslmode":     true,
-			"sslcert":     true,
-			"sslkey":      true,
-			"sslrootcert": true,
-			"connect_timeout": true,
-			"application_name": true,
+		if pgxConfig.RuntimeParams == nil {
+			pgxConfig.RuntimeParams = make(map[string]string)
 		}
-		
 		for key, value := range connectionInput.ExtraOptions {
-			// Only allow predefined safe options
-			if !allowedOptions[key] {
-				return nil, fmt.Errorf("extra option '%s' is not allowed for security reasons", key)
-			}
-			
-			// Validate option values using basic allowlist (no special characters)
-			if !regexp.MustCompile(`^[a-zA-Z0-9._/-]+$`).MatchString(value) {
-				return nil, fmt.Errorf("extra option value for '%s' contains invalid characters", key)
-			}
-			
-			q.Set(key, value)
+			pgxConfig.RuntimeParams[key] = value
 		}
 	}
-	
-	u.RawQuery = q.Encode()
-	dsn := u.String()
 
-	db, err := gorm.Open(postgres.Open(dsn), &gorm.Config{})
+	db, err := gorm.Open(postgres.New(postgres.Config{Conn: stdlib.OpenDB(*pgxConfig)}), &gorm.Config{})
+
 	if err != nil {
 		return nil, err
 	}
 	return db, nil
 }
-

core/src/plugins/postgres/postgres.go

@@ -80,9 +80,10 @@ func (p *PostgresPlugin) GetTableInfoQuery() string {
 		LEFT JOIN
 			pg_stat_user_tables s ON t.table_name = s.relname
 		WHERE
-			t.table_schema = ?
-			AND t.table_type = 'BASE TABLE';
+			t.table_schema = ?;
 	`
+
+	// AND t.table_type = 'BASE TABLE' this removes the view tables
 }
 
 func (p *PostgresPlugin) GetTableNameAndAttributes(rows *sql.Rows, db *gorm.DB) (string, []engine.Record) {

core/src/plugins/redis/redis.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"sort"
 	"strconv"
 
 	"github.com/clidey/whodb/core/graph/model"
@@ -149,6 +150,19 @@ func (p *RedisPlugin) GetStorageUnits(config *engine.PluginConfig, schema string
 				{Key: "Type", Value: "set"},
 				{Key: "Size", Value: fmt.Sprintf("%d", size)},
 			}
+		case "zset":
+			sizeCmd := pipe.ZCard(ctx, key)
+			if _, err := pipe.Exec(ctx); err != nil {
+				return nil, err
+			}
+			size, err := sizeCmd.Result()
+			if err != nil {
+				return nil, err
+			}
+			attributes = []engine.Record{
+				{Key: "Type", Value: "zset"},
+				{Key: "Size", Value: fmt.Sprintf("%d", size)},
+			}
 		default:
 			attributes = []engine.Record{
 				{Key: "Type", Value: "unknown"},
@@ -206,6 +220,10 @@ func (p *RedisPlugin) GetRows(
 				rows = append(rows, []string{field, value})
 			}
 		}
+		// Sort rows by field name (first column) alphabetically
+		sort.Slice(rows, func(i, j int) bool {
+			return rows[i][0] < rows[j][0]
+		})
 		result = &engine.GetRowsResult{
 			Columns: []engine.Column{{Name: "field", Type: "string"}, {Name: "value", Type: "string"}},
 			Rows:    rows,
@@ -239,6 +257,19 @@ func (p *RedisPlugin) GetRows(
 			Rows:          rows,
 			DisableUpdate: true,
 		}
+	case "zset":
+		zsetValues, err := client.ZRangeWithScores(ctx, storageUnit, 0, -1).Result()
+		if err != nil {
+			return nil, err
+		}
+		rows := [][]string{}
+		for i, member := range zsetValues {
+			rows = append(rows, []string{strconv.Itoa(i), member.Member.(string), fmt.Sprintf("%.2f", member.Score)})
+		}
+		result = &engine.GetRowsResult{
+			Columns: []engine.Column{{Name: "index", Type: "string"}, {Name: "member", Type: "string"}, {Name: "score", Type: "string"}},
+			Rows:    rows,
+		}
 	default:
 		return nil, errors.New("unsupported Redis data type")
 	}