database-services/src/controllers/query-controller.ts at 75ba10f096c4bfa278e1ad72a8eb3228a669f822 · feedloop/database-services · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import { Request, Response } from 'express';
import { sequelize } from '../config/database';
import { QueryTypes } from 'sequelize';
import { errorResponse, successResponse } from '../utils/response';

export const executeQuery = async (req: Request, res: Response) => {
  try {
    const { query } = req.body;

    if (!query || typeof query !== 'string') {
      return errorResponse(res, 'Query is required and must be a string', 400);
    }

    const forbiddenPatterns = [
      /DROP\s+TABLE/i,
      /ALTER\s+/i,
      /DELETE\s+FROM\s+[^\s]+(\s*;|$)/i,
    ];
    if (forbiddenPatterns.some((pattern) => pattern.test(query))) {
      return errorResponse(res, 'Query contains forbidden operations', 403);
    }

    const result = await sequelize.query(query, { type: QueryTypes.RAW });
    return successResponse(res, result, 'Query executed successfully');
  } catch (error) {
    console.error(error);
    return errorResponse(res, 'Failed to execute query', 500);
  }
};