Skip to content

feat(gs): add debug endpoint for secure database queries #2770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
TaprootFreak wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

feat(gs): add debug endpoint for secure database queries #2770

TaprootFreak wants to merge 4 commits into from

Conversation

@TaprootFreak
Copy link
Collaborator

@TaprootFreak TaprootFreak commented Dec 31, 2025

Summary

  • Add new DEBUG user role for developer database access
  • Add POST /gs/debug endpoint for executing read-only SQL queries
  • Automatic filtering of sensitive PII columns (mail, name, iban, address, etc.)

Changes

  • UserRole.DEBUG added to role enum
  • DEBUG role hierarchy (ADMIN/SUPER_ADMIN can access)
  • executeDebugQuery() method with SQL validation and column blacklist
  • New DebugQueryDto for request validation

Security

Layer Protection
Auth RoleGuard(UserRole.DEBUG) - only DEBUG/ADMIN/SUPER_ADMIN
SQL Only SELECT allowed, dangerous keywords blocked
PII Sensitive columns automatically removed from results

Blocked Columns

mail, email, firstname, surname, name, street, zip, phone, birthday, tin, iban, ip, etc.

Usage

curl -X POST https://api.dfx.swiss/gs/debug \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"sql": "SELECT * FROM buy_crypto WHERE id = 12345"}'

@Yannick1712
Copy link
Member

Yannick1712 commented Dec 31, 2025

@TaprootFreak TaprootFreak force-pushed the feature/debug-endpoint branch 4 times, most recently from fc86ace to 6495c2d Compare December 31, 2025 12:08
@TaprootFreak
feat(gs): add debug endpoint for secure database queries
1b1b934 
Add new DEBUG user role for developer database access with POST /gs/debug
endpoint for executing read-only SQL queries.

Security layers:
- Role-based access (DEBUG/ADMIN/SUPER_ADMIN only)
- SQL parsing with node-sql-parser (AST validation)
- Only single SELECT statements allowed
- Blocked: UNION/INTERSECT/EXCEPT, SELECT INTO, FOR XML/JSON
- Blocked: OPENROWSET, OPENQUERY, OPENDATASOURCE (external connections)
- Pre-execution column checking (blocks alias bypass)
- Input validation with MaxLength(10000)
- Post-execution PII column masking (defense in depth)
- Full audit trail with user identification

Blocked columns: mail, email, firstname, surname, iban, ip, apiKey, etc.
@TaprootFreak TaprootFreak force-pushed the feature/debug-endpoint branch from 6495c2d to 1b1b934 Compare December 31, 2025 12:13
@TaprootFreak
fix(gs): resolve eslint warnings in debug endpoint
9e2baad 
- Remove unused catch variable (use bare catch)
- Remove unnecessary eslint-disable directive
Yannick1712 and others added 2 commits December 31, 2025 13:57
@Yannick1712 @TaprootFreak
[NOTASK] add more blockedCols
a2a3cc1
@TaprootFreak
fix(gs): move restricted columns from ADMIN to DEBUG blocking
07e241d 
- Remove organization.name, bank_tx.name, kyc_step.result from RestrictedColumns
- Add 'name' and 'result' to DebugBlockedColumns
- ADMIN can now see these columns on /gs/db
- DEBUG role has these blocked on /gs/debug
@TaprootFreak TaprootFreak mentioned this pull request Dec 31, 2025
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidleomay davidleomay Awaiting requested review from davidleomay

@Yannick1712 Yannick1712 Awaiting requested review from Yannick1712

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TaprootFreak @Yannick1712