chore: dbconn - add requestId info as a comment in the database logs

waku/common/databases/db_postgres/dbconn.nim

@@ -1,5 +1,5 @@
 import
-  std/[times, strutils, asyncnet, os, sequtils, sets],
+  std/[times, strutils, asyncnet, os, sequtils, sets, strformat],
   results,
   chronos,
   chronos/threadsync,
@@ -207,13 +207,42 @@ proc waitQueryToFinish(
 
     pqclear(pqResult)
 
+proc containsRiskyPatterns(input: string): bool =
+  let riskyPatterns =
+    @[
+      " OR ", " AND ", " UNION ", " SELECT ", "INSERT ", "DELETE ", "UPDATE ", "DROP ",
+      "EXEC ", "--", "/*", "*/",
+    ]
+
+  for pattern in riskyPatterns:
+    if pattern.toLowerAscii() in input.toLowerAscii():
+      return true
+
+  return false
+
+proc isSecureString(input: string): bool =
+  ## Returns `false` if the string contains risky characters or patterns, `true` otherwise.
+  let riskyChars = {'\'', '\"', ';', '-', '#', '\\', '%', '_', '/', '*', '\0'}
+
+  for ch in input:
+    if ch in riskyChars:
+      return false
+
+  if containsRiskyPatterns(input):
+    return false
+
+  return true
+
 proc dbConnQuery*(
     dbConnWrapper: DbConnWrapper,
     query: SqlQuery,
     args: seq[string],
     rowCallback: DataProc,
     requestId: string,
 ): Future[Result[void, string]] {.async, gcsafe.} =
+  if not requestId.isSecureString():
+    return err("the passed request id is not secure: " & requestId)
+
   dbConnWrapper.futBecomeFree = newFuture[void]("dbConnQuery")
 
   let cleanedQuery = ($query).replace(" ", "").replace("\n", "")
@@ -224,7 +253,8 @@ proc dbConnQuery*(
 
   var queryStartTime = getTime().toUnixFloat()
 
-  (await dbConnWrapper.sendQuery(query, args)).isOkOr:
+  let reqIdAndQuery = "/* requestId=" & requestId & " */ " & $query
+  (await dbConnWrapper.sendQuery(SqlQuery(reqIdAndQuery), args)).isOkOr:
     error "error in dbConnQuery", error = $error
     dbConnWrapper.futBecomeFree.fail(newException(ValueError, $error))
     return err("error in dbConnQuery calling sendQuery: " & $error)