imporvement(pg): added wand config for writing sql queries for generic db blocks & supabase postgrest syntax (#1197)

* add parallel ai, postgres, mysql, slight modifications to dark mode styling

* bun install frozen lockfile

* new deps

* improve security, add wand to short input and update wand config

Author: waleedlatif1

apps/sim/app/api/tools/mysql/delete/route.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from 'crypto'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createLogger } from '@/lib/logs/console/logger'
@@ -17,7 +18,7 @@ const DeleteSchema = z.object({
 })
 
 export async function POST(request: NextRequest) {
-  const requestId = crypto.randomUUID().slice(0, 8)
+  const requestId = randomUUID().slice(0, 8)
 
   try {
     const body = await request.json()

apps/sim/app/api/tools/mysql/execute/route.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from 'crypto'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createLogger } from '@/lib/logs/console/logger'
@@ -16,7 +17,7 @@ const ExecuteSchema = z.object({
 })
 
 export async function POST(request: NextRequest) {
-  const requestId = crypto.randomUUID().slice(0, 8)
+  const requestId = randomUUID().slice(0, 8)
 
   try {
     const body = await request.json()
@@ -26,7 +27,6 @@ export async function POST(request: NextRequest) {
       `[${requestId}] Executing raw SQL on ${params.host}:${params.port}/${params.database}`
     )
 
-    // Validate query before execution
     const validation = validateQuery(params.query)
     if (!validation.isValid) {
       logger.warn(`[${requestId}] Query validation failed: ${validation.error}`)

apps/sim/app/api/tools/mysql/insert/route.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from 'crypto'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createLogger } from '@/lib/logs/console/logger'
@@ -38,13 +39,10 @@ const InsertSchema = z.object({
 })
 
 export async function POST(request: NextRequest) {
-  const requestId = crypto.randomUUID().slice(0, 8)
+  const requestId = randomUUID().slice(0, 8)
 
   try {
     const body = await request.json()
-
-    logger.info(`[${requestId}] Received data field type: ${typeof body.data}, value:`, body.data)
-
     const params = InsertSchema.parse(body)
 
     logger.info(

apps/sim/app/api/tools/mysql/query/route.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from 'crypto'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createLogger } from '@/lib/logs/console/logger'
@@ -16,7 +17,7 @@ const QuerySchema = z.object({
 })
 
 export async function POST(request: NextRequest) {
-  const requestId = crypto.randomUUID().slice(0, 8)
+  const requestId = randomUUID().slice(0, 8)
 
   try {
     const body = await request.json()
@@ -26,7 +27,6 @@ export async function POST(request: NextRequest) {
       `[${requestId}] Executing MySQL query on ${params.host}:${params.port}/${params.database}`
     )
 
-    // Validate query before execution
     const validation = validateQuery(params.query)
     if (!validation.isValid) {
       logger.warn(`[${requestId}] Query validation failed: ${validation.error}`)

apps/sim/app/api/tools/mysql/update/route.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from 'crypto'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createLogger } from '@/lib/logs/console/logger'
@@ -36,7 +37,7 @@ const UpdateSchema = z.object({
 })
 
 export async function POST(request: NextRequest) {
-  const requestId = crypto.randomUUID().slice(0, 8)
+  const requestId = randomUUID().slice(0, 8)
 
   try {
     const body = await request.json()

apps/sim/app/api/tools/mysql/utils.ts

@@ -18,13 +18,11 @@ export async function createMySQLConnection(config: MySQLConnectionConfig) {
     password: config.password,
   }
 
-  // Handle SSL configuration
   if (config.ssl === 'required') {
     connectionConfig.ssl = { rejectUnauthorized: true }
   } else if (config.ssl === 'preferred') {
     connectionConfig.ssl = { rejectUnauthorized: false }
   }
-  // For 'disabled', we don't set the ssl property at all
 
   return mysql.createConnection(connectionConfig)
 }
@@ -54,7 +52,6 @@ export async function executeQuery(
 export function validateQuery(query: string): { isValid: boolean; error?: string } {
   const trimmedQuery = query.trim().toLowerCase()
 
-  // Block dangerous SQL operations
   const dangerousPatterns = [
     /drop\s+database/i,
     /drop\s+schema/i,
@@ -91,7 +88,6 @@ export function validateQuery(query: string): { isValid: boolean; error?: string
     }
   }
 
-  // Only allow specific statement types for execute endpoint
   const allowedStatements = /^(select|insert|update|delete|with|show|describe|explain)\s+/i
   if (!allowedStatements.test(trimmedQuery)) {
     return {
@@ -116,6 +112,8 @@ export function buildInsertQuery(table: string, data: Record<string, unknown>) {
 }
 
 export function buildUpdateQuery(table: string, data: Record<string, unknown>, where: string) {
+  validateWhereClause(where)
+
   const sanitizedTable = sanitizeIdentifier(table)
   const columns = Object.keys(data)
   const values = Object.values(data)
@@ -127,14 +125,33 @@ export function buildUpdateQuery(table: string, data: Record<string, unknown>, w
 }
 
 export function buildDeleteQuery(table: string, where: string) {
+  validateWhereClause(where)
+
   const sanitizedTable = sanitizeIdentifier(table)
   const query = `DELETE FROM ${sanitizedTable} WHERE ${where}`
 
   return { query, values: [] }
 }
 
+function validateWhereClause(where: string): void {
+  const dangerousPatterns = [
+    /;\s*(drop|delete|insert|update|create|alter|grant|revoke)/i,
+    /union\s+select/i,
+    /into\s+outfile/i,
+    /load_file/i,
+    /--/,
+    /\/\*/,
+    /\*\//,
+  ]
+
+  for (const pattern of dangerousPatterns) {
+    if (pattern.test(where)) {
+      throw new Error('WHERE clause contains potentially dangerous operation')
+    }
+  }
+}
+
 export function sanitizeIdentifier(identifier: string): string {
-  // Handle schema.table format
   if (identifier.includes('.')) {
     const parts = identifier.split('.')
     return parts.map((part) => sanitizeSingleIdentifier(part)).join('.')
@@ -144,16 +161,13 @@ export function sanitizeIdentifier(identifier: string): string {
 }
 
 function sanitizeSingleIdentifier(identifier: string): string {
-  // Remove any existing backticks to prevent double-escaping
   const cleaned = identifier.replace(/`/g, '')
 
-  // Validate identifier contains only safe characters
   if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(cleaned)) {
     throw new Error(
       `Invalid identifier: ${identifier}. Identifiers must start with a letter or underscore and contain only letters, numbers, and underscores.`
     )
   }
 
-  // Wrap in backticks for MySQL
   return `\`${cleaned}\``
 }

apps/sim/app/api/tools/postgresql/delete/route.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from 'crypto'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createLogger } from '@/lib/logs/console/logger'
@@ -17,7 +18,7 @@ const DeleteSchema = z.object({
 })
 
 export async function POST(request: NextRequest) {
-  const requestId = crypto.randomUUID().slice(0, 8)
+  const requestId = randomUUID().slice(0, 8)
 
   try {
     const body = await request.json()

apps/sim/app/api/tools/postgresql/execute/route.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from 'crypto'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createLogger } from '@/lib/logs/console/logger'
@@ -20,7 +21,7 @@ const ExecuteSchema = z.object({
 })
 
 export async function POST(request: NextRequest) {
-  const requestId = crypto.randomUUID().slice(0, 8)
+  const requestId = randomUUID().slice(0, 8)
 
   try {
     const body = await request.json()
@@ -30,7 +31,6 @@ export async function POST(request: NextRequest) {
       `[${requestId}] Executing raw SQL on ${params.host}:${params.port}/${params.database}`
     )
 
-    // Validate query before execution
     const validation = validateQuery(params.query)
     if (!validation.isValid) {
       logger.warn(`[${requestId}] Query validation failed: ${validation.error}`)

apps/sim/app/api/tools/postgresql/insert/route.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from 'crypto'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createLogger } from '@/lib/logs/console/logger'
@@ -38,7 +39,7 @@ const InsertSchema = z.object({
 })
 
 export async function POST(request: NextRequest) {
-  const requestId = crypto.randomUUID().slice(0, 8)
+  const requestId = randomUUID().slice(0, 8)
 
   try {
     const body = await request.json()

apps/sim/app/api/tools/postgresql/query/route.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from 'crypto'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createLogger } from '@/lib/logs/console/logger'
@@ -16,7 +17,7 @@ const QuerySchema = z.object({
 })
 
 export async function POST(request: NextRequest) {
-  const requestId = crypto.randomUUID().slice(0, 8)
+  const requestId = randomUUID().slice(0, 8)
 
   try {
     const body = await request.json()