Fixed explain error message leaking data

ankane · Jan 5, 2023 · a81bb01 · a81bb01
1 parent 5cf3a2a
commit a81bb01
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,6 @@
 ## 3.1.0 (unreleased)
 
+- Fixed explain error message leaking data - [more info](https://github.com/ankane/pghero/issues/439)
 - Explain analyze is now opt-in - [more info](https://github.com/ankane/pghero/issues/438)
 - Added support for disabling explain and explain analyze
 - Added support for visualize without explain analyze

diff --git a/app/controllers/pg_hero/home_controller.rb b/app/controllers/pg_hero/home_controller.rb
@@ -299,11 +299,21 @@ def explain
           @suggested_index = @database.suggested_indexes(queries: [@query]).first if @database.suggested_indexes_enabled?
           @visualize = params[:commit] == "Visualize"
         rescue ActiveRecord::StatementInvalid => e
-          @error = e.message
-
-          if @error.include?("bind message supplies 0 parameters")
-            @error = "Can't explain queries with bind parameters"
-          end
+          message = e.message
+          @error =
+            if message == "Unsafe statement"
+              "Unsafe statement"
+            elsif message.start_with?("PG::ProtocolViolation: ERROR:  bind message supplies 0 parameters")
+              "Can't explain queries with bind parameters"
+            elsif message.start_with?("PG::SyntaxError")
+              "Syntax error with query"
+            elsif message.start_with?("PG::QueryCanceled")
+              "Query timed out"
+            else
+              # default to a generic message
+              # since data can be extracted through the Postgres error message
+              "Error explaining query"
+            end
         end
       end
     end

diff --git a/test/controller_test.rb b/test/controller_test.rb
@@ -73,7 +73,7 @@ def test_explain_only_not_enabled
   def test_explain_only_analyze
     post pg_hero.explain_path, params: {query: "ANALYZE SELECT 1"}
     assert_response :success
-    assert_match "syntax error", response.body
+    assert_match "Syntax error with query", response.body
     refute_match "Planning Time:", response.body
     refute_match "Execution Time:", response.body
   end
@@ -95,7 +95,7 @@ def test_explain_analyze_timeout
       end
     end
     assert_response :success
-    assert_match "canceling statement due to statement timeout", response.body
+    assert_match "Query timed out", response.body
   end
 
   def test_explain_analyze_not_enabled