-
Notifications
You must be signed in to change notification settings - Fork 2
fix(antseed): parse a libpq kv-conninfo DATABASE_URL in the node writers #39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -16,6 +16,32 @@ const UPSERT_BUYER_STATUS = `INSERT INTO buyer_status | |
| connection_state=EXCLUDED.connection_state, | ||
| fetched_at=EXCLUDED.fetched_at`; | ||
|
|
||
| // node-postgres's `connectionString` only understands a postgres:// URL, but the | ||
| // prod secret hands us a libpq KEYWORD/VALUE conninfo (host=… port=… dbname=… | ||
| // user=… password='…' sslmode=require) — the form psycopg uses on the router/ | ||
| // ingress. Detect that and parse it into a pg config object; pass a URL through | ||
| // untouched (dev/compose). Without this the sidecar resolves host "base" and | ||
| // dies with ENOTFOUND, leaving peer_offers/buyer_status empty. | ||
| function pgConfig() { | ||
| const dsn = process.env.DATABASE_URL || ""; | ||
| if (!dsn || dsn.includes("://")) return { connectionString: dsn }; | ||
| const cfg = {}; | ||
| const re = /(\w+)\s*=\s*'((?:[^'\\]|\\.)*)'|(\w+)\s*=\s*(\S+)/g; | ||
| let m; | ||
| while ((m = re.exec(dsn)) !== null) { | ||
| const key = m[1] || m[3]; | ||
| const val = m[1] ? m[2].replace(/\\(.)/g, "$1") : m[4]; | ||
| if (key === "host") cfg.host = val; | ||
| else if (key === "hostaddr" && !cfg.host) cfg.host = val; | ||
| else if (key === "port") cfg.port = Number(val); | ||
| else if (key === "dbname") cfg.database = val; | ||
| else if (key === "user") cfg.user = val; | ||
| else if (key === "password") cfg.password = val; | ||
| else if (key === "sslmode") cfg.ssl = val === "disable" ? false : { rejectUnauthorized: false }; | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Check whether repository-managed DATABASE_URL examples or manifests use stricter sslmode values.
rg -n "sslmode=(verify-ca|verify-full|require|disable|prefer|allow)" .Repository: genlayerlabs/unhardcoded Length of output: 263 🏁 Script executed: #!/bin/bash
set -euo pipefail
printf '\n== antseed/store.js (relevant section) ==\n'
cat -n antseed/store.js | sed -n '1,140p'
printf '\n== Search for sslmode handling and postgres URL usage ==\n'
rg -n "sslmode|DATABASE_URL|postgres://|postgresql://" antseed -g '!**/node_modules/**' || true
printf '\n== Search for any code paths that distinguish verify-ca / verify-full ==\n'
rg -n "verify-ca|verify-full|rejectUnauthorized|ssl\s*=" antseed -g '!**/node_modules/**' || trueRepository: genlayerlabs/unhardcoded Length of output: 3717 Fail closed for stricter 🤖 Prompt for AI Agents |
||
| } | ||
| return cfg; | ||
| } | ||
|
|
||
| const str = (v) => (v === null || v === undefined) ? null : String(v); | ||
|
|
||
| function buyerStatusRow(d, pid) { | ||
|
|
@@ -24,4 +50,4 @@ function buyerStatusRow(d, pid) { | |
| str(d.connectionState), Date.now()]; | ||
| } | ||
|
|
||
| module.exports = { UPSERT_BUYER_STATUS, buyerStatusRow }; | ||
| module.exports = { UPSERT_BUYER_STATUS, buyerStatusRow, pgConfig }; | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Anchor URL detection to the DSN scheme.
dsn.includes("://")misclassifies valid libpq conninfo if a quoted value contains://, such as a generated password. That would send the whole key/value string back throughconnectionStringand reintroduce the connection failure this helper is meant to avoid.Proposed fix
📝 Committable suggestion
🤖 Prompt for AI Agents