All checks were successful
CI Code / Check spelling (push) Successful in 21s
CI Code / Check coding style (push) Successful in 31s
CI Code / Code Coverage (push) Successful in 2m21s
CI Code / Linux (ubuntu) (push) Successful in 4m30s
CI Code / Linux (debian) (push) Successful in 6m43s
CI Code / Linux (arch) (push) Successful in 10m8s
A flat-file alternative to the SQLite chatlog backend with runtime
switching, full migration tooling, integrity verification, and a
synthetic load harness. SQLite remains the default; both backends share
one dispatch layer (db_backend_t vtable) so callers don't change.
Storage layout
- Per-contact append-only `flatlog/<account>/<contact>/history.log`
under XDG_DATA_HOME, one line per message
- Single-line file header with embedded format-version marker
(FLATFILE_FORMAT_VERSION); reader warns on missing or mismatched
marker, writer and checker stay in sync via preprocessor
stringification
- Deterministic key=value metadata (`id`, `aid`, `corrects`, `to`,
`to_res`, `read`) plus escaped body \u2014 `\|`, `\]`, `\\`, `\n`, `\r`
literals prevent log injection
- Sparse byte-offset index (FF_INDEX_STEP=500) per contact for
O(log n) time-range lookups; rebuilt on inode / size / mtime
change, extended in-place when the file just grew
- Per-contact GHashTable caches for archive_id presence and
stanza_id \u2192 from_jid mapping (O(1) MAM dedup, O(1) LMC sender
validation)
Hardening
- Path-traversal protection: JID directory name normalisation
(`@` \u2192 `_at_`, slashes and `..` rejected at construction); every
per-contact path is anchored under the account's flatlog/
directory and validated before open
- Symlink-attack protection: every fopen / open uses O_NOFOLLOW; on
ELOOP the operation aborts with an error rather than following
- Filesystem permissions: log files created with mode 0600,
directories with mode 0700; both enforced at creation, verified
on each open and reported on drift by `/history verify`
- Atomic crash-safe export: write to a temp file via mkstemp (mode
0600, random suffix, no name collisions between concurrent
exports), fsync, then rename \u2014 partial state never replaces the
live file
- Concurrency: advisory flock(LOCK_EX) held for the duration of
every write, including append from live messages and full rewrite
from export, so two profanity processes can't interleave bytes
on the same log
- DoS / abuse guards:
* FF_MAX_LINE_LEN = 10 MB \u2014 lines longer than this are rejected
at read with a warning; the parser will not allocate
unbounded memory for a single record
* FF_MAX_LMC_DEPTH = 100 \u2014 `corrects:` chain walk stops at this
depth and emits a warning, preventing a malicious correction
cycle from spinning the apply pass
* FF_VERSION_SCAN_MAX = 16 \u2014 header version probe never reads
past 16 leading comment lines, even on garbage input
* Empty / inverted byte-range early-return in page-up read path
so a malformed time filter cannot cause an unbounded scan
* Zero-entry index guard so a file whose every line failed to
parse cannot cause a NULL deref on later page-up
- LMC sender validation: an incoming correction whose sender does
not match the original message's sender is rejected at write
time and surfaced via cons_show_error; a cycle in the apply pass
is broken via a visited-set
- jid_create_from_bare_and_resource treats NULL, empty string, and
the literal "(null)" as no resource and returns a bare jid;
similar normalisation for barejid eliminates the legacy
"user@host/(null)" artefact that leaked into stored fulljids
whenever g_strdup_printf("%s", NULL) ran inside create_fulljid
Commands
- `/history switch sqlite|flatfile` \u2014 runtime backend swap, closes
the old backend and opens the new one without reconnecting
- `/history export [<jid>]` \u2014 SQLite -> flat-file, merging with any
existing flatlog (dedup keyed on a SHA-256 hash mixing stanza_id,
timestamp, from_jid, body \u2014 robust against id reuse by older
clients)
- `/history import [<jid>]` \u2014 flat-file -> SQLite, same merge
semantics, runs inside a single SQLite transaction with rollback
on per-contact failure
- `/history verify [<jid>]` \u2014 integrity check; emits a structured
list of issues (ERROR / WARNING / INFO) per file:
* file-level: missing log, wrong permissions (\u2260 0600), UTF-8
BOM present, CRLF line endings, empty file
* line-level: invalid UTF-8 (with byte offset), embedded
control characters, unparsable lines, timestamps out of
order, duplicate `id:` and `aid:` (tracked separately so a
stanza/archive id collision isn't double-reported)
* cross-line: broken `corrects:` references whose target id is
not present in the file
- `/history backend` \u2014 show currently active backend
- Active backend indicator `[sqlite]` / `[flatfile]` in the status
bar next to the JID
- Roster-JID autocomplete for verify / export / import
- export and import open a SQLite handle on demand when the
flatfile backend is currently active, so migration works
regardless of which backend is live
Tests
- Unit: database_export (parser round-trip, escape/unescape, dedup
key stability, JID normalisation), database_stress (14 cases
exercising rapid writes, large messages, deep LMC chains, MAM
dedup, concurrent contacts)
- Functional: history persistence across reconnects, export /
import round-trip with content equality, MUC migration,
timestamp normalisation across timezones
- Bench harness P1\u2013P5 (synthetic load: bulk insert, time-range
read, page-up scroll, MAM ingest, mixed workload) and failure
modes F1\u2013F17 (page-up cursor and forward-iteration symmetry,
oversized lines, MAM dedup, LMC depth and cycles, BOM/CRLF,
missing log, empty file, mtime+inode flip, broken corrects, etc.)
- All bench tests integrate with the existing make targets and
emit CSV rows for baseline comparison
Author: jabber.developer2 <jabber.developer2@jabber.space>
Reviewed-by: jabber.developer <jabber.developer@jabber.space>
206 lines
6.5 KiB
C
206 lines
6.5 KiB
C
/*
|
|
* database.c
|
|
* vim: expandtab:ts=4:sts=4:sw=4
|
|
*
|
|
* Copyright (C) 2020 - 2025 Michael Vetter <jubalh@iodoru.org>
|
|
*
|
|
* This file is part of Profanity.
|
|
*
|
|
* Profanity is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Profanity is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with Profanity. If not, see <https://www.gnu.org/licenses/>.
|
|
*
|
|
* In addition, as a special exception, the copyright holders give permission to
|
|
* link the code of portions of this program with the OpenSSL library under
|
|
* certain conditions as described in each individual source file, and
|
|
* distribute linked combinations including the two.
|
|
*
|
|
* You must obey the GNU General Public License in all respects for all of the
|
|
* code used other than OpenSSL. If you modify file(s) with this exception, you
|
|
* may extend this exception to your version of the file(s), but you are not
|
|
* obligated to do so. If you do not wish to do so, delete this exception
|
|
* statement from your version. If you delete this exception statement from all
|
|
* source files in the program, then also delete it here.
|
|
*
|
|
*/
|
|
|
|
#include "config.h"
|
|
|
|
#include <glib.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
#include "log.h"
|
|
#include "common.h"
|
|
#include "config.h"
|
|
#include "database.h"
|
|
#include "config/preferences.h"
|
|
#include "config/accounts.h"
|
|
#include "ui/ui.h"
|
|
#include "xmpp/xmpp.h"
|
|
#include "xmpp/message.h"
|
|
|
|
db_backend_t* active_db_backend = NULL;
|
|
|
|
void
|
|
integrity_issue_free(integrity_issue_t* issue)
|
|
{
|
|
if (issue) {
|
|
g_free(issue->file);
|
|
g_free(issue->message);
|
|
g_free(issue);
|
|
}
|
|
}
|
|
|
|
gboolean
|
|
log_database_init(ProfAccount* account)
|
|
{
|
|
auto_gchar gchar* pref_dblog = prefs_get_string(PREF_DBLOG);
|
|
|
|
// Select backend based on preference
|
|
if (g_strcmp0(pref_dblog, "flatfile") == 0) {
|
|
active_db_backend = db_backend_flatfile();
|
|
log_info("Using flat-file database backend");
|
|
} else {
|
|
#ifdef HAVE_SQLITE
|
|
active_db_backend = db_backend_sqlite();
|
|
log_info("Using SQLite database backend");
|
|
#else
|
|
log_warning("SQLite not compiled in, falling back to flat-file backend");
|
|
active_db_backend = db_backend_flatfile();
|
|
#endif
|
|
}
|
|
|
|
if (!active_db_backend) {
|
|
log_error("log_database_init: no backend available");
|
|
return FALSE;
|
|
}
|
|
|
|
return active_db_backend->init(account);
|
|
}
|
|
|
|
void
|
|
log_database_close(void)
|
|
{
|
|
if (active_db_backend) {
|
|
active_db_backend->close();
|
|
}
|
|
active_db_backend = NULL;
|
|
}
|
|
|
|
gboolean
|
|
log_database_switch_backend(const char* new_backend)
|
|
{
|
|
// Close current backend
|
|
log_database_close();
|
|
|
|
// Update preference (user must /save to persist across restarts)
|
|
prefs_set_string(PREF_DBLOG, new_backend);
|
|
|
|
// Get current account to reinitialize
|
|
const char* account_name = session_get_account_name();
|
|
if (!account_name) {
|
|
log_error("log_database_switch_backend: no active session");
|
|
return FALSE;
|
|
}
|
|
|
|
ProfAccount* account = accounts_get_account(account_name);
|
|
if (!account) {
|
|
log_error("log_database_switch_backend: account '%s' not found", account_name);
|
|
return FALSE;
|
|
}
|
|
|
|
gboolean result = log_database_init(account);
|
|
account_free(account);
|
|
return result;
|
|
}
|
|
|
|
void
|
|
log_database_add_incoming(ProfMessage* message)
|
|
{
|
|
if (active_db_backend && active_db_backend->add_incoming) {
|
|
active_db_backend->add_incoming(message);
|
|
} else {
|
|
log_warning("log_database_add_incoming: no backend or method available");
|
|
}
|
|
}
|
|
|
|
void
|
|
log_database_add_outgoing_chat(const char* const id, const char* const barejid, const char* const message, const char* const replace_id, prof_enc_t enc)
|
|
{
|
|
if (active_db_backend && active_db_backend->add_outgoing_chat) {
|
|
active_db_backend->add_outgoing_chat(id, barejid, message, replace_id, enc);
|
|
} else {
|
|
log_warning("log_database_add_outgoing_chat: no backend or method available");
|
|
}
|
|
}
|
|
|
|
void
|
|
log_database_add_outgoing_muc(const char* const id, const char* const barejid, const char* const message, const char* const replace_id, prof_enc_t enc)
|
|
{
|
|
if (active_db_backend && active_db_backend->add_outgoing_muc) {
|
|
active_db_backend->add_outgoing_muc(id, barejid, message, replace_id, enc);
|
|
} else {
|
|
log_warning("log_database_add_outgoing_muc: no backend or method available");
|
|
}
|
|
}
|
|
|
|
void
|
|
log_database_add_outgoing_muc_pm(const char* const id, const char* const barejid, const char* const message, const char* const replace_id, prof_enc_t enc)
|
|
{
|
|
if (active_db_backend && active_db_backend->add_outgoing_muc_pm) {
|
|
active_db_backend->add_outgoing_muc_pm(id, barejid, message, replace_id, enc);
|
|
} else {
|
|
log_warning("log_database_add_outgoing_muc_pm: no backend or method available");
|
|
}
|
|
}
|
|
|
|
db_history_result_t
|
|
log_database_get_previous_chat(const gchar* const contact_barejid, const gchar* start_time, const gchar* end_time, gboolean from_start, gboolean flip, GSList** result)
|
|
{
|
|
if (active_db_backend && active_db_backend->get_previous_chat) {
|
|
return active_db_backend->get_previous_chat(contact_barejid, start_time, end_time, from_start, flip, result);
|
|
}
|
|
return DB_RESPONSE_ERROR;
|
|
}
|
|
|
|
ProfMessage*
|
|
log_database_get_limits_info(const gchar* const contact_barejid, gboolean is_last)
|
|
{
|
|
if (active_db_backend && active_db_backend->get_limits_info) {
|
|
return active_db_backend->get_limits_info(contact_barejid, is_last);
|
|
}
|
|
// Fallback: return an empty message with sane defaults
|
|
ProfMessage* msg = message_init();
|
|
if (is_last) {
|
|
msg->timestamp = g_date_time_new_now_utc();
|
|
}
|
|
return msg;
|
|
}
|
|
|
|
GSList*
|
|
log_database_verify_integrity(const gchar* const contact_barejid)
|
|
{
|
|
if (active_db_backend && active_db_backend->verify_integrity) {
|
|
return active_db_backend->verify_integrity(contact_barejid);
|
|
}
|
|
|
|
GSList* issues = NULL;
|
|
integrity_issue_t* issue = g_malloc0(sizeof(integrity_issue_t));
|
|
issue->level = INTEGRITY_WARNING;
|
|
issue->file = g_strdup("N/A");
|
|
issue->line = 0;
|
|
issue->message = g_strdup("Active backend does not support integrity verification");
|
|
issues = g_slist_append(issues, issue);
|
|
return issues;
|
|
}
|