Ensure that the plain SQL file contains no unsafe or destructive operations before restoring it.

[akshay-joshi]

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Strengthened SQL file security validation during restore operations with enhanced encoding verification, null byte detection, and improved line-by-line content scanning to prevent unsafe file processing.

• Refactor

  • Updated internal file validation mechanism for improved security compliance and reliability.

[coderabbitai]

Walkthrough

Replace chunked, regex-based meta-command detection with a comprehensive, security-focused file validation function that enforces UTF-8 encoding with BOM handling, rejects null bytes, normalizes line endings, and performs line-by-line inspection for dangerous backslash sequences.

Changes

Cohort / File(s)	Change Summary
SQL File Safety Validation web/pgadmin/tools/restore/__init__.py	Replaced has_meta_commands() with new is_safe_sql_file() function that validates UTF-8 encoding with BOM handling, rejects null bytes, normalizes line endings, and scans for dangerous backslash sequences. Updated use_sql_utility() to use inverted logic with new safety checks. Removed re import.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Focus areas requiring extra attention:
  • Verify UTF-8 and BOM handling logic is correctly implemented
  • Confirm null byte rejection properly sanitizes content
  • Validate line ending normalization does not alter SQL semantics
  • Review backslash detection logic to ensure it correctly identifies dangerous sequences at line starts
  • Audit the inverted condition logic in use_sql_utility() to ensure no security gaps are introduced
  • Confirm error handling and logging capture all failure paths appropriately
  • Test that legitimate SQL restore workflows are not blocked by stricter validation

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: replacing the old regex-based approach with a comprehensive security-focused validation function that checks SQL files for unsafe operations before restoration.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

web/pgadmin/tools/restore/__init__.py (1)

381-437: Tighten scan behaviour and clarify what is actually enforced

A couple of points in the scan logic are worth adjusting:

• The block under “Check 2” (if "\\g" in line or "\\c" in line or "\\!" in line:) currently just executes pass, so it has no effect despite the comment about blocking dangerous trailing commands. Either implement a concrete action (e.g., log + return False) or remove the branch/comment to avoid future confusion about what’s enforced.
• Loading the entire file into memory (raw_data = f.read(), Line 389) is simple but may be problematic for very large plain SQL dumps. If users routinely restore multi-GB plain files, consider reintroducing a chunked/streaming scan to keep memory usage bounded.
• Enforcing UTF‑8 only via utf-8-sig (Lines 392–397) is a stricter policy than before and will block valid dumps in other encodings. Please confirm this behaviour is acceptable for your user base and documented, since it can be a visible compatibility change.

These are not correctness bugs, but tightening them would make the safety check clearer and more robust.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 39c2f39 and 152b4db.

📒 Files selected for processing (1)

• web/pgadmin/tools/restore/__init__.py (1 hunks)

🧰 Additional context used

🪛 Ruff (0.14.4)

web/pgadmin/tools/restore/__init__.py

439-439: Consider moving this statement to an else block

(TRY300)

---

441-441: Use logging.exception instead of logging.error

Replace with exception

(TRY400)

---

443-443: Use logging.exception instead of logging.error

Replace with exception

(TRY400)

🔇 Additional comments (1)

web/pgadmin/tools/restore/__init__.py (1)

449-455: Safety gate in use_sql_utility looks correct

The new is_safe_sql_file guard in use_sql_utility correctly short-circuits before constructing arguments for the sql utility and returns a clear, user-facing error message that covers both meta-commands and other unsafe conditions. No changes needed here.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Treat unreadable SQL files as unsafe and improve exception logging

Right now, if opening/reading the file raises FileNotFoundError or PermissionError, is_safe_sql_file logs the error but then returns True via the final return True (Line 445), so use_sql_utility will proceed as if the file were safe. For a “security-first” gate, any inability to fully inspect the file should be treated as unsafe and block restore, and the exceptions are good candidates for logger.exception as Ruff suggests.

Consider something along these lines:

-        return True
-    except FileNotFoundError:
-        current_app.logger.error("File not found.")
-    except PermissionError:
-        current_app.logger.error("Insufficient permissions to access.")
-
-    return True
+        return True
+    except FileNotFoundError:
+        current_app.logger.exception(
+            "Security Alert: File not found while scanning %s", path
+        )
+    except PermissionError:
+        current_app.logger.exception(
+            "Security Alert: Insufficient permissions to access %s", path
+        )
+
+    # If we couldn't fully inspect the file, treat it as unsafe.
+    return False

This both aligns with the “restore blocked” behaviour and addresses the TRY300/TRY400 hints.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	return True
	except FileNotFoundError:
	current_app.logger.error("File not found.")
	except PermissionError:
	current_app.logger.error("Insufficient permissions to access.")
	return False
	return True
	return True
	except FileNotFoundError:
	current_app.logger.exception(
	"Security Alert: File not found while scanning %s", path
	)
	except PermissionError:
	current_app.logger.exception(
	"Security Alert: Insufficient permissions to access %s", path
	)
	# If we couldn't fully inspect the file, treat it as unsafe.
	return False

🧰 Tools

🪛 Ruff (0.14.4)

439-439: Consider moving this statement to an else block

(TRY300)

---

441-441: Use logging.exception instead of logging.error

Replace with exception

(TRY400)

---

443-443: Use logging.exception instead of logging.error

Replace with exception

(TRY400)

🤖 Prompt for AI Agents

In web/pgadmin/tools/restore/__init__.py around lines 439 to 445, the function
currently logs FileNotFoundError and PermissionError but then falls through to
return True; change this so that any FileNotFoundError or PermissionError is
treated as unsafe by logging the full exception (use
current_app.logger.exception or logger.exception) and returning False
immediately for those exceptions, ensuring the function blocks restore on
unreadable files and removes the final unconditional return True that allows
unsafe files through.