fix: crash-proofing + small robustness fixes
- pool.js: add pool.on('error') handler — an idle-client error (DB restart /
.215 failover) previously crashed the process (no 'error' listener → throw)
- context tool: project a SAFE_COLUMNS allow-list for resources (never the
monitoring/metadata JSON blobs); also add 'resource' to TABLE (was unhandled)
- applyPendingChange: guard the 'upsert' arm so a non-upsertable entity_type
fails with a clear ValidationError instead of a bare TypeError
Tests: pool_error, context (resource case), pending_extended_actions (guard).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
root
@@ -1,6 +1,13 @@
|
|||||||
import { pool } from '../../../db/pool.js';
|
import { pool } from '../../../db/pool.js';
|
||||||
|
|
||||||
const TABLE = { page: 'pages', ref: 'refs', task: 'tasks', project: 'projects', space: 'spaces' };
|
const TABLE = { page: 'pages', ref: 'refs', task: 'tasks', project: 'projects', space: 'spaces', resource: 'resources' };
|
||||||
|
|
||||||
|
// Explicit column projection per entity type (defaults to '*'). Resources carry
|
||||||
|
// monitoring/metadata JSON that can hold connection hints / vault_path pointers,
|
||||||
|
// so we never surface those blobs to an agent — see docs/security-sweep-2026-06-01.md.
|
||||||
|
const SAFE_COLUMNS = {
|
||||||
|
resource: 'id, space_id, slug, name, runtime_type, host, url, version, status, last_check, maintenance_until'
|
||||||
|
};
|
||||||
|
|
||||||
export const contextTool = {
|
export const contextTool = {
|
||||||
name: 'context',
|
name: 'context',
|
||||||
@@ -13,7 +20,8 @@ export const contextTool = {
|
|||||||
}
|
}
|
||||||
const table = TABLE[view.entityType];
|
const table = TABLE[view.entityType];
|
||||||
if (!table) return { entityType: view.entityType, entityId: view.entityId, note: 'unrecognised entity type' };
|
if (!table) return { entityType: view.entityType, entityId: view.entityId, note: 'unrecognised entity type' };
|
||||||
const { rows: [row] } = await pool.query(`SELECT * FROM ${table} WHERE id=$1`, [view.entityId]);
|
const cols = SAFE_COLUMNS[view.entityType] || '*';
|
||||||
|
const { rows: [row] } = await pool.query(`SELECT ${cols} FROM ${table} WHERE id=$1`, [view.entityId]);
|
||||||
if (!row) return { entityType: view.entityType, entityId: view.entityId, error: 'not found' };
|
if (!row) return { entityType: view.entityType, entityId: view.entityId, error: 'not found' };
|
||||||
return { entityType: view.entityType, ...row };
|
return { entityType: view.entityType, ...row };
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -35,6 +35,9 @@ export async function applyPendingChange(row, actor) {
|
|||||||
return created.id;
|
return created.id;
|
||||||
}
|
}
|
||||||
case 'upsert': {
|
case 'upsert': {
|
||||||
|
if (typeof repo.upsertByExternal !== 'function') {
|
||||||
|
throw new ValidationError(`entity_type '${row.entity_type}' does not support upsert`);
|
||||||
|
}
|
||||||
const row_ = await repo.upsertByExternal(row.payload, actor);
|
const row_ = await repo.upsertByExternal(row.payload, actor);
|
||||||
return row_.id;
|
return row_.id;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,8 +1,16 @@
|
|||||||
import pg from 'pg';
|
import pg from 'pg';
|
||||||
import 'dotenv/config';
|
import 'dotenv/config';
|
||||||
|
import { log } from '../log.js';
|
||||||
|
|
||||||
export const pool = new pg.Pool({
|
export const pool = new pg.Pool({
|
||||||
connectionString: process.env.DATABASE_URL,
|
connectionString: process.env.DATABASE_URL,
|
||||||
max: 10,
|
max: 10,
|
||||||
idleTimeoutMillis: 30_000
|
idleTimeoutMillis: 30_000
|
||||||
});
|
});
|
||||||
|
|
||||||
|
// An idle pooled client can emit 'error' (DB restart, replication failover on
|
||||||
|
// the .215 cluster). With no listener, EventEmitter throws and the process
|
||||||
|
// crashes. Log and let pg discard the dead client; the pool reconnects lazily.
|
||||||
|
pool.on('error', (err) => {
|
||||||
|
log.error({ err }, 'idle pg client error');
|
||||||
|
});
|
||||||
|
|||||||
@@ -23,4 +23,16 @@ describe('context tool', () => {
|
|||||||
const out = await contextTool.handler({}, { space_id: spaceId, view: null });
|
const out = await contextTool.handler({}, { space_id: spaceId, view: null });
|
||||||
expect(out.note).toMatch(/no specific entity/i);
|
expect(out.note).toMatch(/no specific entity/i);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('omits sensitive JSON blobs (monitoring/metadata) when grounding on a resource', async () => {
|
||||||
|
const { rows: [{ id: resId }] } = await pool.query(
|
||||||
|
`INSERT INTO resources(space_id, slug, name, runtime_type, monitoring, metadata)
|
||||||
|
VALUES($1,'db','DB','lxc','{"endpoint":"secret"}'::jsonb,'{"vault_path":"env:DB_PASS"}'::jsonb)
|
||||||
|
RETURNING id`, [spaceId]);
|
||||||
|
const out = await contextTool.handler({}, { space_id: spaceId, view: { entityType: 'resource', entityId: resId } });
|
||||||
|
expect(out.name).toBe('DB');
|
||||||
|
expect(out.status).toBe('unknown');
|
||||||
|
expect(out).not.toHaveProperty('monitoring');
|
||||||
|
expect(out).not.toHaveProperty('metadata');
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|||||||
12
tests/db/pool_error.test.js
Normal file
12
tests/db/pool_error.test.js
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
import { describe, it, expect } from 'vitest';
|
||||||
|
import { pool } from '../../lib/db/pool.js';
|
||||||
|
|
||||||
|
// A pg.Pool emits 'error' when an *idle* pooled client errors (DB restart,
|
||||||
|
// replication failover). With no 'error' listener, EventEmitter throws and the
|
||||||
|
// whole process crashes. The pool must register a handler.
|
||||||
|
describe('db pool error handling', () => {
|
||||||
|
it('has an error listener so an idle-client error never crashes the process', () => {
|
||||||
|
expect(pool.listenerCount('error')).toBeGreaterThan(0);
|
||||||
|
expect(() => pool.emit('error', new Error('simulated idle-client error'), null)).not.toThrow();
|
||||||
|
});
|
||||||
|
});
|
||||||
Reference in New Issue
Block a user