Detect unsafe functions in SQL queries on DataCentral ETL pages
// ==UserScript== // @name Datanet: SQL Unsafe Function Detector // @namespace http://tampermonkey.net/ // @version 1.5 // @description Detect unsafe functions in SQL queries on DataCentral ETL pages // @author [email protected] // @match https://datacentral.a2z.com/dw-platform/servlet/dwp/template/EtlViewExtractJobs.vm/job_profile_id/* // @grant none // ==/UserScript== /* REVISION HISTORY: 1 - 2025-09-16 - zhjy@ - Initial version 1.1 - 2025-09-16 - zhjy@ - Updated "match" to make it available to new Datanet UI 1.2 - 2025-09-16 - zhjy@ - Revert to 1.0 1.3 - 2025-09-16 - zhjy@ - Fixed performance issues by removing automatic monitoring, detection now only runs on button click 1.4 - 2025-09-16 - zhjy@ - Enhanced WHERE clause detection to identify complete WHERE clauses and JOIN ON clause extraction for improved accuracy. 1.5 - 2025-09-18 - zhjy@ - Fixed SQL text extraction; Modernized UI design; Refactored unsafe function detection logic */ (function() { 'use strict'; // Define unsafe functions by category const UNSAFE_FUNCTIONS = { 'Date/Time Functions': [ 'DATE_TRUNC', 'DATE_PART', 'EXTRACT', 'TO_CHAR', 'ADD_MONTHS', 'CONVERT_TIMEZONE', 'CURRENT_DATE', 'INTERVAL', 'TRUNC', '::DATE' ], 'String Functions': [ 'LENGTH', 'LEFT', 'RIGHT', 'SUBSTR', 'POSITION', 'CONCAT', 'REPLACE' ], 'String Matching Functions': [ 'SIMILAR TO', 'REGEXP_COUNT', 'LIKE' ], 'Type Conversion Functions': [ 'CAST', 'TO_NUMBER', 'TO_DATE', '::DATE', '::TIMESTAMP', '::TIME', '::INTEGER', '::NUMERIC', '::TEXT', '::VARCHAR', '::CHAR', '::BOOLEAN' ], 'Time Comparison Functions': [ 'TIME BETWEEN', 'EXTRACT.*EPOCH' ] }; // Flatten all unsafe functions for easy lookup const ALL_UNSAFE_FUNCTIONS = Object.values(UNSAFE_FUNCTIONS).flat(); // Define safe TO_DATE patterns that should not be flagged as unsafe const SAFE_TO_DATE_PATTERNS = [ /to_date\s*\(\s*['"]\{RUN_DATE_YYYYMMDD\}['"],\s*['"]YYYYMMDD['"]\s*\)/gi, /to_date\s*\(\s*['"]\{RUN_DATE_YYYY-MM-DD\}['"],\s*['"]YYYY-MM-DD['"]\s*\)/gi, /to_date\s*\(\s*['"]\{RUN_DATE_YYYY\/MM\/DD\}['"],\s*['"]YYYY\/MM\/DD['"]\s*\)/gi ]; // CSS styles for UI and highlighting const styles = ` .unsafe-function-highlight { background-color: #fef3c7 !important; border-radius: 4px !important; padding: 1px 3px !important; font-weight: 600 !important; user-select: text !important; -webkit-user-select: text !important; -moz-user-select: text !important; -ms-user-select: text !important; box-shadow: 0 1px 2px rgba(0, 0, 0, 0.05) !important; } .unsafe-function-panel { position: fixed; top: 20px; right: 20px; width: 380px; max-height: 520px; background: linear-gradient(135deg, #ffffff 0%, #f8fafc 100%); border: 1px solid #e2e8f0; border-radius: 12px; box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04); z-index: 9999; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; overflow: hidden; backdrop-filter: blur(10px); border-top: 3px solid #334155; } .unsafe-function-panel-header { background: linear-gradient(135deg, #334155 0%, #475569 100%); color: white; padding: 16px 20px; font-weight: 600; font-size: 15px; display: flex; justify-content: space-between; align-items: center; letter-spacing: -0.025em; } .unsafe-function-panel-content { padding: 20px; max-height: 420px; overflow-y: auto; scrollbar-width: thin; scrollbar-color: #cbd5e1 #f1f5f9; } .unsafe-function-panel-content::-webkit-scrollbar { width: 6px; } .unsafe-function-panel-content::-webkit-scrollbar-track { background: #f1f5f9; border-radius: 3px; } .unsafe-function-panel-content::-webkit-scrollbar-thumb { background: #cbd5e1; border-radius: 3px; } .unsafe-function-panel-content::-webkit-scrollbar-thumb:hover { background: #94a3b8; } .unsafe-function-category { margin-bottom: 18px; } .unsafe-function-category:last-child { margin-bottom: 0; } .unsafe-function-category-title { font-weight: 600; color: #1e293b; margin-bottom: 8px; border-bottom: 2px solid #e2e8f0; padding-bottom: 6px; font-size: 14px; letter-spacing: -0.025em; display: flex; align-items: center; gap: 8px; } .unsafe-function-category-title::before { content: "⚠️"; font-size: 16px; } .unsafe-function-item { margin: 6px 0; padding: 12px 16px; background: linear-gradient(135deg, #ffffff 0%, #f8fafc 100%); border: 1px solid #e2e8f0; border-left: 4px solid #f59e0b; border-radius: 8px; font-family: 'SF Mono', Monaco, 'Cascadia Code', 'Roboto Mono', Consolas, 'Courier New', monospace; font-size: 13px; cursor: pointer; transition: all 0.2s cubic-bezier(0.4, 0, 0.2, 1); position: relative; line-height: 1.5; } .unsafe-function-item:hover { background: linear-gradient(135deg, #fef3c7 0%, #fef9e7 100%); border-color: #f59e0b; box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1), 0 2px 4px -1px rgba(0, 0, 0, 0.06); transform: translateY(-1px); } .unsafe-function-item strong { color: #dc2626; font-weight: 700; font-size: 14px; } .unsafe-function-item small { color: #64748b; font-size: 12px; line-height: 1.4; margin-top: 4px; display: block; } .unsafe-function-item::after { content: "🔍"; position: absolute; right: 12px; top: 50%; transform: translateY(-50%); opacity: 0; transition: all 0.2s cubic-bezier(0.4, 0, 0.2, 1); font-size: 16px; } .unsafe-function-item:hover::after { opacity: 1; transform: translateY(-50%) scale(1.1); } .temporary-line-flash { animation: lineFlash 2s ease-out; } @keyframes lineFlash { 0% { background-color: rgba(51, 65, 85, 0.3) !important; box-shadow: 0 0 0 4px rgba(51, 65, 85, 0.2) !important; } 50% { background-color: rgba(51, 65, 85, 0.2) !important; box-shadow: 0 0 0 2px rgba(51, 65, 85, 0.1) !important; } 100% { background-color: rgba(245, 158, 11, 0.15) !important; box-shadow: none !important; } } .close-btn { background: rgba(255, 255, 255, 0.2); border: none; color: white; font-size: 20px; cursor: pointer; padding: 0; width: 28px; height: 28px; display: flex; align-items: center; justify-content: center; border-radius: 6px; transition: all 0.2s cubic-bezier(0.4, 0, 0.2, 1); } .close-btn:hover { background: rgba(255, 255, 255, 0.3); transform: scale(1.05); } .toggle-btn { position: fixed; bottom: 24px; right: 24px; background: linear-gradient(135deg, #334155 0%, #475569 100%); color: white; border: none; padding: 14px 20px; border-radius: 12px; cursor: pointer; font-size: 14px; font-weight: 600; z-index: 9998; box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.1), 0 4px 6px -2px rgba(0, 0, 0, 0.05); transition: all 0.3s cubic-bezier(0.4, 0, 0.2, 1); font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; letter-spacing: -0.025em; min-width: 200px; text-align: center; } .toggle-btn:hover { background: linear-gradient(135deg, #475569 0%, #64748b 100%); transform: translateY(-2px); box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04); } .toggle-btn:active { transform: translateY(0); box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.1), 0 4px 6px -2px rgba(0, 0, 0, 0.05); } .no-unsafe-functions { color: #059669; font-style: normal; text-align: center; padding: 32px 20px; font-size: 15px; font-weight: 500; line-height: 1.6; background: linear-gradient(135deg, #ecfdf5 0%, #f0fdf4 100%); border-radius: 8px; border: 1px solid #bbf7d0; } .no-unsafe-functions::before { content: "✅"; display: block; font-size: 32px; margin-bottom: 12px; } `; // Add styles to page const styleSheet = document.createElement('style'); styleSheet.textContent = styles; document.head.appendChild(styleSheet); let detectedFunctions = {}; let panelVisible = false; let panel = null; let toggleBtn = null; let isScanning = false; let scanTimeout = null; let highlightStyleSheet = null; // Store dynamic highlight styles let highlightedLines = new Map(); // Store highlighted line information for persistence let highlightProtectionInterval = null; // Interval for highlight protection // Create unique key for deduplication function createUniqueKey(func) { return `${func.function}-${func.line}-${func.column}-${func.context.trim()}`; } // Deduplicate detected functions using unique keys function deduplicateDetections(detectedFunctions) { const deduplicatedFunctions = {}; const seenKeys = new Set(); Object.entries(detectedFunctions).forEach(([category, functions]) => { const uniqueFunctions = []; functions.forEach(func => { const uniqueKey = createUniqueKey(func); if (!seenKeys.has(uniqueKey)) { seenKeys.add(uniqueKey); uniqueFunctions.push(func); } else { // Duplicate detection skipped } }); if (uniqueFunctions.length > 0) { deduplicatedFunctions[category] = uniqueFunctions; } }); return deduplicatedFunctions; } // Jump to line functionality - completely independent functions function jumpToLine(lineNumber, elementIndex) { try { // Find the correct CodeMirror instance const codeMirrorInstance = findCodeMirrorForLine(lineNumber, elementIndex); if (!codeMirrorInstance) { return false; } // Get the target line element const lines = codeMirrorInstance.querySelectorAll('.CodeMirror-line'); const targetLineIndex = lineNumber - 1; // Convert to 0-based index if (targetLineIndex >= 0 && targetLineIndex < lines.length) { const targetLine = lines[targetLineIndex]; // Scroll to the line with smooth behavior targetLine.scrollIntoView({ behavior: 'smooth', block: 'center', inline: 'nearest' }); // Add temporary flash effect addTemporaryHighlight(targetLine); return true; } else { return false; } } catch (error) { console.error('Error in jumpToLine:', error); return false; } } function findCodeMirrorForLine(lineNumber, elementIndex) { try { // Strategy 1: Use elementIndex if provided if (typeof elementIndex === 'number') { const codeMirrorElements = document.querySelectorAll('.CodeMirror-scroll'); if (elementIndex >= 0 && elementIndex < codeMirrorElements.length) { return codeMirrorElements[elementIndex]; } } // Strategy 2: Find CodeMirror instance that contains the line const allCodeMirrorElements = document.querySelectorAll('.CodeMirror-scroll'); for (let element of allCodeMirrorElements) { const lines = element.querySelectorAll('.CodeMirror-line'); if (lineNumber <= lines.length) { return element; } } // Strategy 3: Return the first available CodeMirror instance return allCodeMirrorElements[0] || null; } catch (error) { console.error('Error in findCodeMirrorForLine:', error); return null; } } function addTemporaryHighlight(lineElement) { try { if (!lineElement) return; // Add flash animation class lineElement.classList.add('temporary-line-flash'); // Remove the class after animation completes setTimeout(() => { if (lineElement && lineElement.classList) { lineElement.classList.remove('temporary-line-flash'); } }, 1500); // Match the animation duration } catch (error) { console.error('Error in addTemporaryHighlight:', error); } } function setupSummaryClickHandlers() { try { if (!panel) return; // Use event delegation to handle clicks on summary items panel.addEventListener('click', function(event) { // Check if clicked element is an unsafe function item const clickedItem = event.target.closest('.unsafe-function-item'); if (!clickedItem) return; // Prevent event bubbling event.stopPropagation(); // Extract line number from the item content const lineInfo = extractLineInfoFromItem(clickedItem); if (lineInfo) { jumpToLine(lineInfo.line, lineInfo.elementIndex); } }); } catch (error) { console.error('Error in setupSummaryClickHandlers:', error); } } function extractLineInfoFromItem(itemElement) { try { const text = itemElement.textContent || ''; // Extract line number from text like "REPLACE at line 15:23" const lineMatch = text.match(/at line (\d+):(\d+)/); if (lineMatch) { const lineNumber = parseInt(lineMatch[1], 10); const columnNumber = parseInt(lineMatch[2], 10); // Try to find the corresponding elementIndex from detectedFunctions let elementIndex = 0; // Default to first element // Search through detectedFunctions to find matching entry Object.values(detectedFunctions).forEach(functions => { functions.forEach(func => { if (func.line === lineNumber && func.column === columnNumber) { // Try to find elementIndex from highlightedLines highlightedLines.forEach((highlightInfo, lineKey) => { if (highlightInfo.lineNumber === lineNumber) { elementIndex = highlightInfo.elementIndex; } }); } }); }); return { line: lineNumber, column: columnNumber, elementIndex: elementIndex }; } return null; } catch (error) { console.error('Error in extractLineInfoFromItem:', error); return null; } } // Split SQL text into individual statements by semicolon, handling quotes and comments function splitSQLStatements(sqlText) { const statements = []; let currentStatement = ''; let i = 0; let inSingleQuote = false; let inDoubleQuote = false; let inMultiLineComment = false; let inSingleLineComment = false; let statementStartPosition = 0; // Clean the SQL text first - remove zero-width characters and normalize sqlText = sqlText.replace(/[\u200B-\u200D\uFEFF]/g, ''); // Remove zero-width characters sqlText = sqlText.replace(/\u00A0/g, ' '); // Replace non-breaking spaces with regular spaces while (i < sqlText.length) { const char = sqlText[i]; const nextChar = i + 1 < sqlText.length ? sqlText[i + 1] : ''; // Handle multi-line comments /* */ if (!inSingleQuote && !inDoubleQuote && !inSingleLineComment) { if (char === '/' && nextChar === '*') { inMultiLineComment = true; currentStatement += char + nextChar; i += 2; continue; } } if (inMultiLineComment) { currentStatement += char; if (char === '*' && nextChar === '/') { inMultiLineComment = false; currentStatement += nextChar; i += 2; continue; } i++; continue; } // Handle single-line comments -- (improved to handle multiple dashes) if (!inSingleQuote && !inDoubleQuote && !inSingleLineComment) { if (char === '-' && nextChar === '-') { inSingleLineComment = true; currentStatement += char + nextChar; i += 2; continue; } } if (inSingleLineComment) { currentStatement += char; if (char === '\n' || char === '\r') { inSingleLineComment = false; } else if (char === ';') { // Special case: semicolon can end a single-line comment if there's no newline // This handles cases where SQL statements are on the same line inSingleLineComment = false; // Don't increment i here, let the semicolon be processed normally continue; } i++; continue; } // Handle string literals with escape sequence support if (!inMultiLineComment && !inSingleLineComment) { if (char === "'" && !inDoubleQuote) { // Check for escaped quote if (i > 0 && sqlText[i-1] === '\\') { currentStatement += char; i++; continue; } inSingleQuote = !inSingleQuote; currentStatement += char; i++; continue; } else if (char === '"' && !inSingleQuote) { // Check for escaped quote if (i > 0 && sqlText[i-1] === '\\') { currentStatement += char; i++; continue; } inDoubleQuote = !inDoubleQuote; currentStatement += char; i++; continue; } } // Handle semicolon (statement separator) if (!inSingleQuote && !inDoubleQuote && !inMultiLineComment && !inSingleLineComment && char === ';') { currentStatement += char; // Trim and add statement if it's not empty const trimmedStatement = currentStatement.trim(); if (trimmedStatement && trimmedStatement !== ';') { statements.push({ text: trimmedStatement, startPosition: statementStartPosition, endPosition: i + 1 }); } // Reset for next statement - skip whitespace after semicolon currentStatement = ''; i++; // Skip whitespace and newlines to find the start of next statement while (i < sqlText.length && /\s/.test(sqlText[i])) { i++; } statementStartPosition = i; continue; } // Normal character currentStatement += char; i++; } // Add the last statement if it exists (improved handling) const trimmedStatement = currentStatement.trim(); if (trimmedStatement) { statements.push({ text: trimmedStatement, startPosition: statementStartPosition, endPosition: sqlText.length }); } return statements; } // Remove SQL comments from text while preserving line structure function removeComments(sqlText) { let result = ''; let i = 0; let inSingleQuote = false; let inDoubleQuote = false; let inMultiLineComment = false; while (i < sqlText.length) { const char = sqlText[i]; const nextChar = i + 1 < sqlText.length ? sqlText[i + 1] : ''; // Handle string literals (don't process comments inside strings) if (!inMultiLineComment) { if (char === "'" && !inDoubleQuote) { inSingleQuote = !inSingleQuote; result += char; i++; continue; } else if (char === '"' && !inSingleQuote) { inDoubleQuote = !inDoubleQuote; result += char; i++; continue; } } // Skip comment processing if we're inside a string literal if (inSingleQuote || inDoubleQuote) { result += char; i++; continue; } // Handle multi-line comments /* */ if (!inMultiLineComment && char === '/' && nextChar === '*') { inMultiLineComment = true; result += ' '; // Replace with spaces to maintain positioning i += 2; continue; } if (inMultiLineComment) { if (char === '*' && nextChar === '/') { inMultiLineComment = false; result += ' '; // Replace with spaces i += 2; continue; } else if (char === '\n') { result += char; // Preserve line breaks i++; continue; } else { result += ' '; // Replace comment content with space i++; continue; } } // Handle single-line comments -- if (char === '-' && nextChar === '-') { // Replace everything from -- to end of line with spaces while (i < sqlText.length && sqlText[i] !== '\n') { result += ' '; i++; } // Don't increment i here as we want to process the \n normally continue; } // Normal character result += char; i++; } return result; } // Check if a TO_DATE function call matches safe patterns function isSafeToDatePattern(expression) { // Reset all regex patterns before testing SAFE_TO_DATE_PATTERNS.forEach(pattern => { pattern.lastIndex = 0; }); // Test against all safe patterns return SAFE_TO_DATE_PATTERNS.some(pattern => { pattern.lastIndex = 0; // Reset regex state return pattern.test(expression); }); } // Extract complete TO_DATE function call from text around a match position function extractToDateFunctionCall(text, matchIndex) { // Find the start of the function call let start = matchIndex; while (start > 0 && text[start - 1] !== ' ' && text[start - 1] !== '\t' && text[start - 1] !== '\n' && text[start - 1] !== '(' && text[start - 1] !== ',') { start--; } // Find the end of the function call by matching parentheses let parenCount = 0; let end = matchIndex; let foundOpenParen = false; // Move to the opening parenthesis while (end < text.length) { if (text[end] === '(') { foundOpenParen = true; parenCount++; end++; break; } else if (text[end] === ' ' || text[end] === '\t') { end++; } else { end++; } } if (!foundOpenParen) { return text.substring(start, Math.min(start + 50, text.length)); // Fallback } // Find the matching closing parenthesis while (end < text.length && parenCount > 0) { if (text[end] === '(') { parenCount++; } else if (text[end] === ')') { parenCount--; } end++; } return text.substring(start, end).trim(); } // Create regex patterns for detecting unsafe functions function createFunctionRegex(functionName) { // Handle special cases if (functionName === 'SIMILAR TO') { return new RegExp('\\bSIMILAR\\s+TO\\b', 'gi'); } if (functionName === 'TIME BETWEEN') { return new RegExp('\\bTIME\\s+BETWEEN\\b', 'gi'); } if (functionName === 'EXTRACT.*EPOCH') { return new RegExp('\\bEXTRACT\\s*\\([^)]*EPOCH[^)]*\\)', 'gi'); } // Handle POSITION function which can have different syntax: POSITION(x IN y) or POSITION(x,y) if (functionName === 'POSITION') { return new RegExp('\\bPOSITION\\s*\\(', 'gi'); } // Handle INTERVAL function - supports both INTERVAL(...) and INTERVAL 'value' formats if (functionName === 'INTERVAL') { return new RegExp('\\bINTERVAL\\s*(?:\\(|\'|\\d)', 'gi'); } // Handle :: type conversion patterns (e.g., ::DATE, ::TEXT, ::INTEGER) // Allow any non-whitespace character before :: to handle cases like (expression)::date if (functionName.startsWith('::')) { const typeName = functionName.substring(2); // Remove the :: return new RegExp('[^\\s]::\\s*' + typeName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') + '\\b', 'gi'); } // Standard function pattern: FUNCTION_NAME followed by opening parenthesis return new RegExp('\\b' + functionName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') + '\\s*\\(', 'gi'); } // Parse comparison expressions and extract only the left side (field being compared) function parseComparisonExpression(condition) { const leftSideExpressions = []; // First, remove any nested SELECT...FROM statements from the condition const cleanedCondition = removeNestedSelectStatements(condition); // Handle BETWEEN operator specially const betweenMatch = cleanedCondition.match(/^(.+?)\s+BETWEEN\s+/i); if (betweenMatch) { leftSideExpressions.push(betweenMatch[1].trim()); return leftSideExpressions; } // Handle IN operator with potential subqueries const inMatch = cleanedCondition.match(/^(.+?)\s+(?:NOT\s+)?IN\s*\(/i); if (inMatch) { leftSideExpressions.push(inMatch[1].trim()); return leftSideExpressions; } // Handle EXISTS operator (left side is empty for EXISTS) if (cleanedCondition.match(/^\s*(?:NOT\s+)?EXISTS\s*\(/i)) { return leftSideExpressions; // No left side for EXISTS } // Handle standard comparison operators (=, >, <, >=, <=, !=, <>) // Use a more robust approach to handle nested parentheses in complex expressions let parenDepth = 0; let inQuotes = false; let quoteChar = ''; let operatorIndex = -1; // Find the comparison operator at the top level (not inside parentheses or quotes) for (let i = 0; i < cleanedCondition.length; i++) { const char = cleanedCondition[i]; // Handle quotes (including escaped quotes) if ((char === '"' || char === "'") && !inQuotes) { inQuotes = true; quoteChar = char; } else if (char === quoteChar && inQuotes) { // Check if it's escaped if (i > 0 && cleanedCondition[i-1] === '\\') { continue; // Skip escaped quote } inQuotes = false; quoteChar = ''; } else if (!inQuotes) { // Handle parentheses if (char === '(') { parenDepth++; } else if (char === ')') { parenDepth--; } else if (parenDepth === 0) { // Check for comparison operators at top level const remaining = cleanedCondition.substring(i); // Include PostgreSQL regex operators: ~, ~*, !~, !~* // Also include LIKE, ILIKE, SIMILAR TO if (remaining.match(/^(>=|<=|<>|!=|!~\*|!~|~\*|~|>|<|=|\s+(?:NOT\s+)?(?:LIKE|ILIKE)\s+|\s+SIMILAR\s+TO\s+)/i)) { operatorIndex = i; break; } } } } if (operatorIndex !== -1) { const leftSide = cleanedCondition.substring(0, operatorIndex).trim(); if (leftSide) { leftSideExpressions.push(leftSide); } } return leftSideExpressions; } // Remove nested SELECT...FROM statements from a condition to avoid detecting unsafe functions within them function removeNestedSelectStatements(condition) { let result = condition; let changed = true; // Keep removing nested SELECT statements until no more are found while (changed) { changed = false; let parenDepth = 0; let inQuotes = false; let quoteChar = ''; let selectStart = -1; for (let i = 0; i < result.length; i++) { const char = result[i]; // Handle quotes if ((char === '"' || char === "'") && !inQuotes) { inQuotes = true; quoteChar = char; } else if (char === quoteChar && inQuotes) { if (i > 0 && result[i-1] === '\\') { continue; // Skip escaped quote } inQuotes = false; quoteChar = ''; } else if (!inQuotes) { // Handle parentheses if (char === '(') { parenDepth++; // Check if this starts a SELECT statement const remaining = result.substring(i + 1).trim(); if (remaining.match(/^SELECT\s+/i) && selectStart === -1) { selectStart = i; } } else if (char === ')') { parenDepth--; // If we're closing a SELECT statement if (selectStart !== -1 && parenDepth === 0) { // Replace the SELECT statement with placeholder const beforeSelect = result.substring(0, selectStart); const afterSelect = result.substring(i + 1); result = beforeSelect + '(SUBQUERY_PLACEHOLDER)' + afterSelect; changed = true; break; } } } } } return result; } // Split WHERE clause into individual conditions, handling nested parentheses function splitWhereConditions(whereClause) { const conditions = []; let current = ''; let parenDepth = 0; let inQuotes = false; let quoteChar = ''; for (let i = 0; i < whereClause.length; i++) { const char = whereClause[i]; const nextChars = whereClause.substr(i, 4).toUpperCase(); // Handle quotes if ((char === '"' || char === "'") && !inQuotes) { inQuotes = true; quoteChar = char; current += char; } else if (char === quoteChar && inQuotes) { inQuotes = false; quoteChar = ''; current += char; } else if (inQuotes) { current += char; } else { // Handle parentheses if (char === '(') { parenDepth++; current += char; } else if (char === ')') { parenDepth--; current += char; } else if (parenDepth === 0 && (nextChars === 'AND ' || nextChars === 'OR ')) { // Found AND/OR at top level if (current.trim()) { conditions.push(current.trim()); } current = ''; i += 3; // Skip past 'AND' or 'OR ' } else { current += char; } } } // Add the last condition if (current.trim()) { conditions.push(current.trim()); } return conditions; } // Remove SELECT...FROM portion of statement to reduce false positives function removeSelectFromPortion(statement) { // Remove SELECT...FROM between content, keep FROM and after return statement.replace(/SELECT[\s\S]*?FROM\s+/i, 'FROM '); } function extractCompleteWhereClauses(statement) { // Remove SELECT...FROM part to reduce false positives let cleanedStatement = removeSelectFromPortion(statement); // Use non-greedy matching to extract WHERE clauses const whereRegex = /\bWHERE\s+([\s\S]*?)(?=\s+(?:GROUP\s+BY|ORDER\s+BY|HAVING|LIMIT|OFFSET|UNION|INTERSECT|EXCEPT|;|$))/gi; const whereClauses = []; let match; while ((match = whereRegex.exec(cleanedStatement)) !== null) { const whereClause = match[1].trim(); if (whereClause) { const parts = splitAtUnmatchedParen(whereClause); whereClauses.push(...parts); } } return whereClauses; } // Helper function: Calculate statement line range boundaries function getStatementLineRange(statement, fullSqlText, lines) { try { // Strategy 1: Use character positions to find line boundaries const startPos = statement.startPosition; const endPos = statement.endPosition; let startLine = 1; let endLine = lines.length; let currentPos = 0; // Find start line by counting characters for (let i = 0; i < lines.length; i++) { const lineText = lines[i].textContent || ''; const lineLength = lineText.length + 1; // +1 for newline character if (currentPos <= startPos && currentPos + lineLength > startPos) { startLine = i + 1; } if (currentPos < endPos && currentPos + lineLength >= endPos) { endLine = i + 1; break; } currentPos += lineLength; } // Strategy 2: Fallback using content matching if position-based fails if (startLine === 1 && endLine === lines.length) { const statementLines = statement.text.split('\n'); const firstStatementLine = statementLines[0].trim(); const lastStatementLine = statementLines[statementLines.length - 1].trim(); if (firstStatementLine) { for (let i = 0; i < lines.length; i++) { const lineText = (lines[i].textContent || '').trim(); if (lineText.includes(firstStatementLine) || firstStatementLine.includes(lineText)) { startLine = i + 1; break; } } } if (lastStatementLine && lastStatementLine !== firstStatementLine) { for (let i = startLine - 1; i < lines.length; i++) { const lineText = (lines[i].textContent || '').trim(); if (lineText.includes(lastStatementLine) || lastStatementLine.includes(lineText)) { endLine = i + 1; break; } } } } // Ensure valid range startLine = Math.max(1, startLine); endLine = Math.min(lines.length, Math.max(startLine, endLine)); return { startLine, endLine }; } catch (error) { console.error('Error calculating statement line range:', error); // Fallback to full range return { startLine: 1, endLine: lines.length }; } } // Optimized function: Extract WHERE clauses with line number information (limited to statement range) function extractWhereClausesWithLineNumbers(statement, fullSqlText, lines) { const whereClauses = extractCompleteWhereClauses(statement.text); const clausesWithLineNumbers = []; // Get the line range for this statement to limit search scope const { startLine, endLine } = getStatementLineRange(statement, fullSqlText, lines); whereClauses.forEach(clause => { const clauseInfo = { text: clause, lineNumbers: [] }; // Only search within the statement's line range for better performance and accuracy for (let lineIndex = startLine - 1; lineIndex < endLine && lineIndex < lines.length; lineIndex++) { const line = lines[lineIndex]; const lineText = line.textContent || ''; const lineNumber = lineIndex + 1; // Check if this line belongs to the current statement and clause // Since we're already within the statement range, we can skip the expensive isLineInStatement check if (isLineMatchingClause(lineText, clause)) { clauseInfo.lineNumbers.push({ lineNumber: lineNumber, lineText: lineText.trim(), lineElement: line }); } } if (clauseInfo.lineNumbers.length > 0) { clausesWithLineNumbers.push(clauseInfo); } }); return clausesWithLineNumbers; } // Optimized function: Extract JOIN ON clauses with line number information (limited to statement range) function extractJoinOnClausesWithLineNumbers(statement, fullSqlText, lines) { const joinOnClauses = extractCompleteJoinOnClauses(statement.text); const clausesWithLineNumbers = []; // Get the line range for this statement to limit search scope const { startLine, endLine } = getStatementLineRange(statement, fullSqlText, lines); joinOnClauses.forEach(clause => { const clauseInfo = { text: clause, lineNumbers: [] }; // Only search within the statement's line range for better performance and accuracy for (let lineIndex = startLine - 1; lineIndex < endLine && lineIndex < lines.length; lineIndex++) { const line = lines[lineIndex]; const lineText = line.textContent || ''; const lineNumber = lineIndex + 1; // Check if this line belongs to the current statement and clause // Since we're already within the statement range, we can skip the expensive isLineInStatement check if (isLineMatchingClause(lineText, clause)) { clauseInfo.lineNumbers.push({ lineNumber: lineNumber, lineText: lineText.trim(), lineElement: line }); } } if (clauseInfo.lineNumbers.length > 0) { clausesWithLineNumbers.push(clauseInfo); } }); return clausesWithLineNumbers; } function splitAtUnmatchedParen(clause) { let results = []; let start = 0; let depth = 0; for (let i = 0; i < clause.length; i++) { const ch = clause[i]; if (ch === "(") { depth++; } else if (ch === ")") { if (depth === 0) { // find single ),end WHERE clause results.push(clause.slice(start, i).trim()); start = i + 1; } else { depth--; } } } const rest = clause.slice(start).trim(); if (rest) results.push(rest); return results; } // Extract complete JOIN ON clauses from a SQL statement using regex function extractCompleteJoinOnClauses(statement) { // Remove SELECT...FROM part to reduce false positives let cleanedStatement = removeSelectFromPortion(statement); //console.log(cleanedStatement); cleanedStatement = cleanedStatement.replace( /\b(LEFT\s+JOIN|RIGHT\s+JOIN|INNER\s+JOIN|JOIN)\s+([\s\S]*?)\s+ON\s+/gi, '$1 TABLE_PLACEHOLDER ON ' ); //console.log(cleanedStatement); // Match various JOIN...ON patterns const joinOnRegex = /\b(INNER\s+JOIN|LEFT\s+(?:OUTER\s+)?JOIN|RIGHT\s+(?:OUTER\s+)?JOIN|FULL\s+(?:OUTER\s+)?JOIN|CROSS\s+JOIN|JOIN)\s+[\w.]+(?:\s+AS\s+\w+)?\s+ON\s+([\s\S]*?)(?=\s+(?:INNER\s+JOIN|LEFT\s+JOIN|RIGHT\s+JOIN|FULL\s+JOIN|CROSS\s+JOIN|JOIN|WHERE|GROUP\s+BY|ORDER\s+BY|HAVING|LIMIT|UNION|;|$))/gi; const joinOnClauses = []; let match; while ((match = joinOnRegex.exec(cleanedStatement)) !== null) { const onCondition = match[2].trim(); if (onCondition) { joinOnClauses.push(onCondition); } } return joinOnClauses; } // Split clause into individual lines while preserving logical completeness function splitClauseIntoLines(clause) { if (!clause) return []; // Split by newlines first const rawLines = clause.split('\n'); const processedLines = []; rawLines.forEach(line => { const trimmedLine = line.trim(); // Skip empty lines and pure comment lines if (!trimmedLine || trimmedLine.startsWith('--')) { return; } // Remove inline comments but keep the main content const cleanedLine = trimmedLine.replace(/--.*$/, '').trim(); if (cleanedLine) { processedLines.push(cleanedLine); } }); return processedLines; } // Enhanced line matching with multiple strategies function isLineMatchingClause(lineText, clause) { const trimmedLine = lineText.trim(); if (!trimmedLine) return false; // Remove comments from the line for comparison const cleanedLine = trimmedLine.replace(/--.*$/, '').trim(); if (!cleanedLine) return false; const clauseLines = splitClauseIntoLines(clause); const filteredClauseLines = clauseLines.filter(line => line.length >= 5); /* // Strategy 1: Direct content matching in the complete clause if (clause.includes(trimmedLine) || clause.includes(cleanedLine)) { return true; } // Strategy 2: Normalized whitespace matching const normalizedLine = cleanedLine.replace(/\s+/g, ' '); const normalizedClause = clause.replace(/\s+/g, ' '); if (normalizedClause.includes(normalizedLine)) { return true; } // Strategy 3: Split clause into lines and check each line for (const clauseLine of clauseLines) { // Direct match if (clauseLine === cleanedLine || clauseLine === trimmedLine) { return true; } // Normalized match const normalizedClauseLine = clauseLine.replace(/\s+/g, ' '); if (normalizedClauseLine === normalizedLine) { return true; } // Partial match - check if the line is contained within a clause line if (clauseLine.includes(cleanedLine) || cleanedLine.includes(clauseLine)) { return true; } // Handle cases where the line might be a subset of a larger expression // For example, line: "user_id = 123" and clauseLine: "AND user_id = 123" if (clauseLine.includes(cleanedLine) && (clauseLine.startsWith('AND ') || clauseLine.startsWith('OR ') || clauseLine.endsWith(' AND') || clauseLine.endsWith(' OR'))) { return true; } }*/ // Strategy 4: Reverse check - see if any clause line is contained in the current line // This handles cases where the line has extra content like comments //console.log(`cleanedLine: ${cleanedLine}`); for (const clauseLine of filteredClauseLines) { if (cleanedLine.includes(clauseLine)) { return true; } } return false; } // Check if a line is within a complete WHERE clause function isLineInCompleteWhereClause(lineText, whereClauses) { const trimmedLine = lineText.trim(); if (!trimmedLine) return false; return whereClauses.some(whereClause => { return isLineMatchingClause(lineText, whereClause); }); } // Check if a line is within a complete JOIN ON clause function isLineInCompleteJoinOnClause(lineText, joinOnClauses) { const trimmedLine = lineText.trim(); if (!trimmedLine) return false; return joinOnClauses.some(joinOnClause => { return isLineMatchingClause(lineText, joinOnClause); }); } // Detect unsafe functions in SQL text (in WHERE and JOIN ON clauses) with accurate line numbers function detectUnsafeFunctions(sqlText, codeMirrorElement = null) { const detected = {}; if (!codeMirrorElement) { return detected; } // Step 1: Split SQL text into individual statements const sqlStatements = splitSQLStatements(sqlText); console.log(`Split SQL into ${sqlStatements.length} statements:`, sqlStatements.map(s => s.text.substring(0, 50) + '...')); // Debug log // Get all CodeMirror lines const lines = codeMirrorElement.querySelectorAll('.CodeMirror-line'); // Step 2: Process each SQL statement separately sqlStatements.forEach((statement, statementIndex) => { // Check if this statement contains any WHERE or JOIN ON patterns const hasRelevantClauses = /\b(WHERE|JOIN[\s\S]*?ON)\b/gi.test(statement.text); if (!hasRelevantClauses) { return; // No relevant clauses found in this statement } // Extract WHERE and JOIN ON clauses with line number information const whereClausesWithLines = extractWhereClausesWithLineNumbers(statement, sqlText, lines); const joinOnClausesWithLines = extractJoinOnClausesWithLineNumbers(statement, sqlText, lines); console.log(`Statement ${statementIndex + 1}: Found ${whereClausesWithLines.length} WHERE clauses and ${joinOnClausesWithLines.length} JOIN ON clauses`); // Process WHERE clauses whereClausesWithLines.forEach(clauseInfo => { clauseInfo.lineNumbers.forEach(lineInfo => { // Remove comments from the line before processing const cleanedLineText = removeComments(lineInfo.lineText); // For WHERE clauses: extract only left-side expressions const expressionsToCheck = extractLeftSideExpressionsFromLine(cleanedLineText); // Check each expression for unsafe functions expressionsToCheck.forEach(expression => { Object.entries(UNSAFE_FUNCTIONS).forEach(([category, functions]) => { functions.forEach(functionName => { const regex = createFunctionRegex(functionName); let match; regex.lastIndex = 0; // Reset regex while ((match = regex.exec(expression)) !== null) { // Special handling for TO_DATE function - check if it matches safe patterns if (functionName === 'TO_DATE') { // Extract the complete TO_DATE function call const toDateCall = extractToDateFunctionCall(expression, match.index); // Check if this TO_DATE call matches any safe patterns if (isSafeToDatePattern(toDateCall)) { //console.log(`Skipping safe TO_DATE pattern: ${toDateCall}`); continue; // Skip this detection as it's a safe pattern } } if (!detected[category]) { detected[category] = []; } // Calculate the actual column position in the original line const expressionStartInLine = cleanedLineText.indexOf(expression); const actualColumn = expressionStartInLine >= 0 ? expressionStartInLine + match.index + 1 : match.index + 1; detected[category].push({ function: functionName, line: lineInfo.lineNumber, column: actualColumn, context: lineInfo.lineText, // Keep original line text for context display statementIndex: statementIndex // Track which statement this detection belongs to }); } }); }); }); }); }); // Process JOIN ON clauses joinOnClausesWithLines.forEach(clauseInfo => { clauseInfo.lineNumbers.forEach(lineInfo => { // Remove comments from the line before processing const cleanedLineText = removeComments(lineInfo.lineText); // For JOIN ON clauses: check the entire line for unsafe functions const expressionsToCheck = [cleanedLineText]; // Check each expression for unsafe functions expressionsToCheck.forEach(expression => { Object.entries(UNSAFE_FUNCTIONS).forEach(([category, functions]) => { functions.forEach(functionName => { const regex = createFunctionRegex(functionName); let match; regex.lastIndex = 0; // Reset regex while ((match = regex.exec(expression)) !== null) { // Special handling for TO_DATE function - check if it matches safe patterns if (functionName === 'TO_DATE') { // Extract the complete TO_DATE function call const toDateCall = extractToDateFunctionCall(expression, match.index); // Check if this TO_DATE call matches any safe patterns if (isSafeToDatePattern(toDateCall)) { //console.log(`Skipping safe TO_DATE pattern: ${toDateCall}`); continue; // Skip this detection as it's a safe pattern } } if (!detected[category]) { detected[category] = []; } // Calculate the actual column position in the original line const expressionStartInLine = cleanedLineText.indexOf(expression); const actualColumn = expressionStartInLine >= 0 ? expressionStartInLine + match.index + 1 : match.index + 1; detected[category].push({ function: functionName, line: lineInfo.lineNumber, column: actualColumn, context: lineInfo.lineText, // Keep original line text for context display statementIndex: statementIndex // Track which statement this detection belongs to }); } }); }); }); }); }); }); return detected; } // Check if a line belongs to a specific SQL statement using improved content matching function isLineInStatement(lineText, fullSqlText, statement) { const trimmedLineText = lineText.trim(); if (!trimmedLineText) return false; // Strategy 1: Check if the line content exists within the statement text if (statement.text.includes(trimmedLineText)) { return true; } // Strategy 2: Try normalized whitespace matching within the statement const normalizedLine = trimmedLineText.replace(/\s+/g, ' '); const normalizedStatement = statement.text.replace(/\s+/g, ' '); if (normalizedStatement.includes(normalizedLine)) { return true; } // Strategy 3: Check for partial matches with key SQL keywords from the line const sqlKeywords = ['SELECT', 'FROM', 'WHERE', 'JOIN', 'ON', 'AND', 'OR', 'CREATE', 'INSERT', 'UPDATE', 'DELETE']; const lineKeywords = sqlKeywords.filter(keyword => trimmedLineText.toUpperCase().includes(keyword)); if (lineKeywords.length > 0) { // If the line contains SQL keywords, check if those keywords exist in the statement const hasMatchingKeywords = lineKeywords.every(keyword => statement.text.toUpperCase().includes(keyword) ); if (hasMatchingKeywords) { return true; } } // Strategy 4: Fallback to position-based matching (improved) let lineIndex = fullSqlText.indexOf(trimmedLineText); if (lineIndex === -1) { lineIndex = fullSqlText.replace(/\s+/g, ' ').indexOf(normalizedLine); } if (lineIndex !== -1) { const inRange = lineIndex >= statement.startPosition && lineIndex < statement.endPosition; return inRange; } return false; } // Extract left-side expressions from a single line of SQL function extractLeftSideExpressionsFromLine(lineText) { const leftSideExpressions = []; // Split the line by common logical operators while preserving the structure const conditions = splitLineConditions(lineText); conditions.forEach(condition => { // Check if condition contains comparison operators (including regex operators) if (/[=<>~]|BETWEEN/i.test(condition)) { // Parse the comparison and extract only the left side const leftSides = parseComparisonExpression(condition); leftSideExpressions.push(...leftSides); } }); return leftSideExpressions; } // Split a line into individual conditions, similar to splitWhereConditions but for single lines function splitLineConditions(lineText) { const conditions = []; let current = ''; let parenDepth = 0; let inQuotes = false; let quoteChar = ''; for (let i = 0; i < lineText.length; i++) { const char = lineText[i]; const nextChars = lineText.substr(i, 4).toUpperCase(); // Handle quotes if ((char === '"' || char === "'") && !inQuotes) { inQuotes = true; quoteChar = char; current += char; } else if (char === quoteChar && inQuotes) { inQuotes = false; quoteChar = ''; current += char; } else if (inQuotes) { current += char; } else { // Handle parentheses if (char === '(') { parenDepth++; current += char; } else if (char === ')') { parenDepth--; current += char; } else if (parenDepth === 0 && (nextChars === 'AND ' || nextChars === 'OR ')) { // Found AND/OR at top level if (current.trim()) { conditions.push(current.trim()); } current = ''; i += 3; // Skip past 'AND' or 'OR ' } else { current += char; } } } // Add the last condition if (current.trim()) { conditions.push(current.trim()); } // If no conditions were found, return the entire line as a single condition if (conditions.length === 0 && lineText.trim()) { conditions.push(lineText.trim()); } return conditions; } // Create summary panel function createSummaryPanel() { if (panel) { panel.remove(); } panel = document.createElement('div'); panel.className = 'unsafe-function-panel'; panel.style.display = panelVisible ? 'block' : 'none'; const header = document.createElement('div'); header.className = 'unsafe-function-panel-header'; header.innerHTML = ` <span>Unsafe Functions</span> <button class="close-btn" onclick="this.parentElement.parentElement.style.display='none'">×</button> `; const content = document.createElement('div'); content.className = 'unsafe-function-panel-content'; const hasDetections = Object.keys(detectedFunctions).length > 0; if (!hasDetections) { content.innerHTML = '<div class="no-unsafe-functions">No unsafe functions detected in SQL queries.</div>'; } else { Object.entries(detectedFunctions).forEach(([category, functions]) => { const categoryDiv = document.createElement('div'); categoryDiv.className = 'unsafe-function-category'; const titleDiv = document.createElement('div'); titleDiv.className = 'unsafe-function-category-title'; titleDiv.textContent = `${category} (${functions.length})`; categoryDiv.appendChild(titleDiv); functions.forEach(func => { const itemDiv = document.createElement('div'); itemDiv.className = 'unsafe-function-item'; itemDiv.innerHTML = ` <strong>${func.function}</strong> at line ${func.line}:${func.column}<br> <small>${func.context}</small> `; categoryDiv.appendChild(itemDiv); }); content.appendChild(categoryDiv); }); } panel.appendChild(header); panel.appendChild(content); document.body.appendChild(panel); // Set up click handlers for jump-to-line functionality (non-intrusive addition) setupSummaryClickHandlers(); } // Create toggle button function createToggleButton() { if (toggleBtn) { toggleBtn.remove(); } toggleBtn = document.createElement('button'); toggleBtn.className = 'toggle-btn'; toggleBtn.textContent = 'Unsafe Functions Detector'; toggleBtn.title = 'Built by ARTS DE' toggleBtn.onclick = () => { panelVisible = !panelVisible; if (panel) { panel.style.display = panelVisible ? 'block' : 'none'; } if (panelVisible) { scanForUnsafeFunctions(); } }; document.body.appendChild(toggleBtn); } // Extract SQL text from CodeMirror element, excluding gutter content function extractSQLText(codeMirrorElement) { // Get all CodeMirror-line elements directly from the original element const lines = codeMirrorElement.querySelectorAll('.CodeMirror-line'); // Extract text from each line and join with newlines to preserve line structure const lineTexts = []; lines.forEach(line => { const lineText = line.textContent || line.innerText || ''; lineTexts.push(lineText); }); // Join lines with newline characters to maintain proper word boundaries return lineTexts.join('\n'); } // Clear existing CSS-only highlights function clearCSSHighlights() { // Remove existing highlight stylesheet if (highlightStyleSheet) { highlightStyleSheet.remove(); highlightStyleSheet = null; } // Remove ALL highlight classes and data attributes from ALL CodeMirror lines const allLines = document.querySelectorAll('.CodeMirror-line'); allLines.forEach(line => { line.classList.remove('has-unsafe-function'); line.removeAttribute('data-unsafe-function'); }); // Remove data attributes from CodeMirror elements const codeMirrorElements = document.querySelectorAll('.CodeMirror-scroll'); codeMirrorElements.forEach(element => { element.removeAttribute('data-unsafe-functions'); }); // Force remove any remaining highlight styles by creating an empty stylesheet const cleanupStyleSheet = document.createElement('style'); cleanupStyleSheet.id = 'unsafe-function-cleanup'; cleanupStyleSheet.textContent = ` .CodeMirror-line { background-color: transparent !important; border-left: none !important; padding-left: 0 !important; } .CodeMirror-line::after { display: none !important; } `; document.head.appendChild(cleanupStyleSheet); // Remove cleanup stylesheet after a brief moment setTimeout(() => { if (cleanupStyleSheet && cleanupStyleSheet.parentNode) { cleanupStyleSheet.remove(); } }, 100); } // Apply robust highlighting with persistence and text selectability function applyCSSOnlyHighlighting(codeMirrorElement, elementIndex) { const fullSqlText = extractSQLText(codeMirrorElement); if (!fullSqlText) return; ////console.log('Full SQL Text:', fullSqlText.substring(0, 200) + '...'); // Debug log // Use the SAME logic as detectUnsafeFunctions to ensure consistency const detectedFunctions = detectUnsafeFunctions(fullSqlText, codeMirrorElement); ////console.log('Detection results:', detectedFunctions); // Debug log // If no unsafe functions detected, don't highlight anything if (Object.keys(detectedFunctions).length === 0) { ////console.log('No unsafe functions detected - skipping highlighting'); // Debug log return; } // Find all text nodes within CodeMirror lines const lines = codeMirrorElement.querySelectorAll('.CodeMirror-line'); // Clear previous highlight tracking for this element highlightedLines.clear(); // Split SQL into statements to get statement-specific clause ranges const sqlStatements = splitSQLStatements(fullSqlText); ////console.log(`Highlighting: Split SQL into ${sqlStatements.length} statements`); // Debug log // Directly highlight lines based on detection results Object.entries(detectedFunctions).forEach(([category, functions]) => { functions.forEach(func => { ////console.log(`Highlighting function: ${func.function} at line ${func.line} (statement ${func.statementIndex + 1})`); // Debug log // Find the specific line by line number (func.line is 1-based, array is 0-based) const targetLineIndex = func.line - 1; if (targetLineIndex >= 0 && targetLineIndex < lines.length) { const line = lines[targetLineIndex]; const lineText = line.textContent || ''; // Get the statement this function belongs to const statement = sqlStatements[func.statementIndex]; if (!statement) { ////console.log(`Statement ${func.statementIndex} not found, skipping highlight`); // Debug log return; } // Verify this line contains the function and is in relevant clause of the correct statement const cleanedLineText = removeComments(lineText); const functionRegex = createFunctionRegex(func.function); // Extract complete WHERE and JOIN ON clauses for this statement const whereClauses = extractCompleteWhereClauses(statement.text); const joinOnClauses = extractCompleteJoinOnClauses(statement.text); if (functionRegex.test(cleanedLineText) && isLineInStatement(lineText, fullSqlText, statement) && isLineInRelevantClause(lineText, statement.text, statement, whereClauses, joinOnClauses)) { ////console.log(`Highlighting line ${func.line}: ${lineText.trim()} for function: ${func.function}`); // Debug log // Apply both CSS class and inline styles for maximum persistence line.classList.add('has-unsafe-function'); // Apply inline styles that are harder to override line.style.setProperty('background-color', 'rgba(255, 235, 59, 0.3)', 'important'); line.style.setProperty('border-left', '3px solid #ff9800', 'important'); line.style.setProperty('padding-left', '5px', 'important'); line.style.setProperty('user-select', 'text', 'important'); line.style.setProperty('-webkit-user-select', 'text', 'important'); line.style.setProperty('-moz-user-select', 'text', 'important'); line.style.setProperty('-ms-user-select', 'text', 'important'); // Store multiple functions if they exist on the same line const existingFunctions = line.getAttribute('data-unsafe-function') || ''; const functionList = existingFunctions ? existingFunctions.split(',') : []; if (!functionList.includes(func.function)) { functionList.push(func.function); line.setAttribute('data-unsafe-function', functionList.join(',')); } // Store highlight information for persistence tracking const lineKey = `${elementIndex}-${func.line}`; highlightedLines.set(lineKey, { element: line, functions: functionList, lineNumber: func.line, elementIndex: elementIndex }); } else { ////console.log(`Skipping highlight for line ${func.line}: function test=${functionRegex.test(cleanedLineText)}, inStatement=${isLineInStatement(lineText, fullSqlText, statement)}, inRelevantClause=${isLineInRelevantClause(lineText, statement.text, null)}`); // Debug log } } }); }); // Generate CSS rules for highlighting generateHighlightCSS(); // Start highlight protection if not already running startHighlightProtection(); } // Note: findRelevantClauseRanges method removed - we now use semantic detection // instead of position-based range matching for better accuracy and maintainability // Check if a line is within a relevant clause (WHERE or JOIN ON) using content-based semantic detection function isLineInRelevantClause(lineText, fullSqlText, statement, whereClauses, joinOnClauses) { const cleanedLineText = removeComments(lineText.trim()); if (!cleanedLineText) return false; // Method 1: Complete clause matching (more accurate) if (whereClauses && isLineInCompleteWhereClause(lineText, whereClauses)) { return true; } if (joinOnClauses && isLineInCompleteJoinOnClause(lineText, joinOnClauses)) { return true; } // Method 2: Fallback to semantic detection if (isWhereConditionLine(cleanedLineText)) { return true; } if (isJoinOnConditionLine(cleanedLineText)) { return true; } return false; } // Check if a line contains WHERE condition expressions function isWhereConditionLine(lineText) { const upperLineText = lineText.toUpperCase(); // Skip if this looks like a SELECT statement or FROM clause if (upperLineText.includes('SELECT ') || upperLineText.includes('FROM ')) { // But allow if it's clearly a WHERE condition with SELECT in a subquery if (!upperLineText.includes('WHERE ')) { return false; } } // Skip if this is obviously a JOIN ON context if (isObviousJoinOnContext(lineText)) { return false; } // Skip if this is part of a CASE expression if (isCaseExpressionLine(lineText)) { return false; } // Skip if this is part of CREATE TABLE or other DDL statements if (isDDLContextLine(lineText)) { return false; } // Check for comparison operators const hasComparisonOperators = /[=<>!~]|BETWEEN|IN\s*\(|EXISTS\s*\(|LIKE|ILIKE|SIMILAR\s+TO/i.test(lineText); // Check for logical operators (but not in SELECT context) const hasLogicalOperators = /\b(AND|OR)\b/i.test(lineText) && !upperLineText.includes('SELECT '); // Check for WHERE keyword const hasWhereKeyword = /\bWHERE\b/i.test(lineText); // Check for common WHERE condition patterns const hasConditionPatterns = /\b(TRUNC|TO_DATE|EXTRACT|DATE_PART|CAST)\s*\(/i.test(lineText); const isWhereCondition = hasComparisonOperators || hasLogicalOperators || hasWhereKeyword || hasConditionPatterns; return isWhereCondition; } // Check if a line is obviously in JOIN ON context function isObviousJoinOnContext(lineText) { const upperLineText = lineText.toUpperCase(); // Direct JOIN keywords with ON in the same line if (/\b(INNER\s+JOIN|LEFT\s+(?:OUTER\s+)?JOIN|RIGHT\s+(?:OUTER\s+)?JOIN|FULL\s+(?:OUTER\s+)?JOIN|CROSS\s+JOIN|JOIN)\b.*\bON\b/i.test(lineText)) { return true; } // Lines that start with JOIN keywords if (/^\s*(INNER\s+JOIN|LEFT\s+(?:OUTER\s+)?JOIN|RIGHT\s+(?:OUTER\s+)?JOIN|FULL\s+(?:OUTER\s+)?JOIN|CROSS\s+JOIN|JOIN)\b/i.test(lineText)) { return true; } // Lines that contain table.column = table.column patterns (typical JOIN conditions) // This pattern is more specific than general comparisons and strongly suggests JOIN context if (/\b\w+\.\w+\s*[=<>!]\s*\w+\.\w+\b/i.test(lineText)) { // Additional check: if the line also contains JOIN or ON keywords, it's definitely JOIN context if (/\b(JOIN|ON)\b/i.test(lineText)) { return true; } // Even without explicit JOIN/ON keywords, table.column = table.column is typically JOIN // But be more conservative - only if it doesn't contain WHERE keyword if (!upperLineText.includes('WHERE')) { return true; } } return false; } // Check if a line is part of a CASE expression function isCaseExpressionLine(lineText) { const upperLineText = lineText.toUpperCase().trim(); // Direct CASE keywords if (/\b(CASE|WHEN|THEN|ELSE|END)\b/i.test(lineText)) { return true; } // Lines that are likely part of CASE expression context // Look for patterns like "WHEN condition" or "AND condition" following CASE if (/^\s*(WHEN\s+|AND\s+|OR\s+).*[=<>!~]/i.test(lineText)) { return true; } // Lines with comparison operators that start with logical operators (likely CASE conditions) if (/^\s*(AND|OR)\s+.*[=<>!~]/i.test(lineText)) { return true; } return false; } // Check if a line is in DDL (Data Definition Language) context function isDDLContextLine(lineText) { const upperLineText = lineText.toUpperCase(); // DDL statement keywords if (/\b(CREATE\s+TABLE|ALTER\s+TABLE|DROP\s+TABLE|CREATE\s+INDEX|CREATE\s+VIEW)\b/i.test(lineText)) { return true; } // Column definition patterns in CREATE TABLE if (/\b(DISTKEY|SORTKEY|ENCODE|NOT\s+NULL|PRIMARY\s+KEY|FOREIGN\s+KEY)\b/i.test(lineText)) { return true; } // Table constraint patterns if (/^\s*--.*\b(table|column|constraint)\b/i.test(lineText)) { return true; } return false; } // Check if a line contains JOIN ON condition expressions function isJoinOnConditionLine(lineText) { const upperLineText = lineText.toUpperCase(); // Check for JOIN ON keywords const hasJoinOnKeywords = /\b(JOIN|ON)\b/i.test(lineText); // Check for table join patterns (table.column = table.column) const hasJoinPatterns = /\w+\.\w+\s*[=<>!]\s*\w+\.\w+/i.test(lineText); // Check for comparison operators in JOIN context const hasComparisonInJoin = hasJoinOnKeywords && /[=<>!~]/i.test(lineText); const isJoinOnCondition = hasJoinOnKeywords || hasJoinPatterns || hasComparisonInJoin; return isJoinOnCondition; } // Generate dynamic CSS rules for highlighting unsafe functions function generateHighlightCSS() { // Remove existing highlight stylesheet if (highlightStyleSheet) { highlightStyleSheet.remove(); } // Create new stylesheet for highlights highlightStyleSheet = document.createElement('style'); highlightStyleSheet.id = 'unsafe-function-highlights'; // Create CSS rules that highlight lines containing unsafe functions let cssRules = ` .CodeMirror-line.has-unsafe-function { background: linear-gradient(135deg, rgba(245, 158, 11, 0.15) 0%, rgba(251, 191, 36, 0.1) 100%) !important; border-left: 4px solid #f59e0b !important; padding-left: 8px !important; user-select: text !important; -webkit-user-select: text !important; -moz-user-select: text !important; -ms-user-select: text !important; position: relative !important; transition: all 0.2s cubic-bezier(0.4, 0, 0.2, 1) !important; } .CodeMirror-line.has-unsafe-function:hover { background: linear-gradient(135deg, rgba(245, 158, 11, 0.25) 0%, rgba(251, 191, 36, 0.2) 100%) !important; border-left-color: #d97706 !important; box-shadow: 0 2px 4px -1px rgba(0, 0, 0, 0.1), 0 1px 2px -1px rgba(0, 0, 0, 0.06) !important; } `; // Add specific highlighting for each unsafe function type ALL_UNSAFE_FUNCTIONS.forEach(functionName => { const escapedName = functionName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); cssRules += ` .CodeMirror-line[data-unsafe-function*="${functionName}"] { position: relative; } .CodeMirror-line[data-unsafe-function*="${functionName}"]::after { content: "⚠️ ${functionName}"; position: absolute; right: 12px; top: 50%; transform: translateY(-50%); background: linear-gradient(135deg, #dc2626 0%, #b91c1c 100%); color: white; padding: 3px 8px; border-radius: 6px; font-size: 11px; font-weight: 600; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; pointer-events: none; z-index: 10; box-shadow: 0 2px 4px -1px rgba(0, 0, 0, 0.1), 0 1px 2px -1px rgba(0, 0, 0, 0.06); opacity: 0.9; transition: all 0.2s cubic-bezier(0.4, 0, 0.2, 1); } .CodeMirror-line[data-unsafe-function*="${functionName}"]:hover::after { opacity: 1; transform: translateY(-50%) scale(1.05); } `; }); highlightStyleSheet.textContent = cssRules; document.head.appendChild(highlightStyleSheet); } // Main scanning function function scanForUnsafeFunctions() { if (isScanning) { return; // Prevent concurrent scans } isScanning = true; detectedFunctions = {}; try { // Clear existing CSS highlights clearCSSHighlights(); // Find all CodeMirror-scroll elements (top-level containers only to avoid duplicate scanning) const codeMirrorElements = document.querySelectorAll('.CodeMirror-scroll'); codeMirrorElements.forEach((element, index) => { const sqlText = extractSQLText(element); if (sqlText && sqlText.trim()) { // Pass the CodeMirror element to detectUnsafeFunctions for accurate line numbers const detected = detectUnsafeFunctions(sqlText, element); // Merge detected functions with comprehensive deduplication Object.entries(detected).forEach(([category, functions]) => { if (!detectedFunctions[category]) { detectedFunctions[category] = []; } // Add all functions from this element functions.forEach(func => { detectedFunctions[category].push(func); }); }); // Apply CSS-only highlighting to WHERE/AND clauses only applyCSSOnlyHighlighting(element, index); } }); // Apply comprehensive deduplication to the final results detectedFunctions = deduplicateDetections(detectedFunctions); createSummaryPanel(); } finally { isScanning = false; } } // Highlight protection system - restores lost highlights function startHighlightProtection() { if (highlightProtectionInterval) { return; // Already running } highlightProtectionInterval = setInterval(() => { if (!panelVisible || highlightedLines.size === 0) { return; } // Check each highlighted line and restore if needed highlightedLines.forEach((highlightInfo, lineKey) => { const { element, functions, lineNumber, elementIndex } = highlightInfo; // Check if element still exists in DOM if (!document.contains(element)) { highlightedLines.delete(lineKey); return; } // Check if highlight styles are still applied const hasClass = element.classList.contains('has-unsafe-function'); const hasInlineStyle = element.style.backgroundColor && element.style.backgroundColor.includes('255, 235, 59'); if (!hasClass || !hasInlineStyle) { // Restore CSS class element.classList.add('has-unsafe-function'); // Restore inline styles element.style.setProperty('background-color', 'rgba(255, 235, 59, 0.3)', 'important'); element.style.setProperty('border-left', '3px solid #ff9800', 'important'); element.style.setProperty('padding-left', '5px', 'important'); element.style.setProperty('user-select', 'text', 'important'); element.style.setProperty('-webkit-user-select', 'text', 'important'); element.style.setProperty('-moz-user-select', 'text', 'important'); element.style.setProperty('-ms-user-select', 'text', 'important'); // Restore data attribute element.setAttribute('data-unsafe-function', functions.join(',')); } }); }, 500); // Check every 500ms } // Handle click events on CodeMirror lines to prevent highlight loss function setupClickProtection() { document.addEventListener('click', function(event) { const clickedLine = event.target.closest('.CodeMirror-line'); if (clickedLine && clickedLine.classList.contains('has-unsafe-function')) { // Schedule highlight restoration after a short delay setTimeout(() => { if (clickedLine.classList.contains('has-unsafe-function')) { // Ensure inline styles are still applied clickedLine.style.setProperty('background-color', 'rgba(255, 235, 59, 0.3)', 'important'); clickedLine.style.setProperty('border-left', '3px solid #ff9800', 'important'); clickedLine.style.setProperty('padding-left', '5px', 'important'); clickedLine.style.setProperty('user-select', 'text', 'important'); clickedLine.style.setProperty('-webkit-user-select', 'text', 'important'); clickedLine.style.setProperty('-moz-user-select', 'text', 'important'); clickedLine.style.setProperty('-ms-user-select', 'text', 'important'); } }, 50); } }, true); // Use capture phase to catch events early } // Debounced scan function function debouncedScan() { if (scanTimeout) { clearTimeout(scanTimeout); } scanTimeout = setTimeout(() => { if (panelVisible && !isScanning) { scanForUnsafeFunctions(); } }, 300); } // Initialize the script function initialize() { createToggleButton(); setupClickProtection(); } // Wait for page to be ready if (document.readyState === 'loading') { document.addEventListener('DOMContentLoaded', initialize); } else { initialize(); } })();
