feat(pam): add MySQL web access data explorer#7022
Merged
bernie-g merged 17 commits intoJun 26, 2026
Conversation
Add browser-based data explorer for MySQL PAM accounts, matching the existing Postgres implementation. Extract shared session handler logic into a dialect-agnostic factory to deduplicate ~85% of the session handler code between Postgres and MySQL. Backend: - Add MySQL connection controller, metadata queries, and session handler - Extract shared ws-types (enums, Zod schemas, types) into pam-data-explorer-ws-types.ts - Extract shared session handler into createDataExplorerSessionHandler factory in pam-data-explorer-session-handler.ts - Rewrite Postgres session handler as thin wrapper using the factory - Add splitMysqlStatements parser with unit tests - Register MySQL handler in pam-session-handlers.ts Frontend: - Add SqlDialect type to parameterize SQL generation (quoting, ILIKE, RETURNING, dollar-quoting, transactions) - Thread dialect through DataExplorerGrid, toolbar, and filter popover - Use sequential statement execution for MySQL instead of BEGIN/COMMIT wrapping - Default MySQL schema to the connection's database name - Hide ILIKE filter operator for MySQL
- Fix extractCommand to skip leading comments before extracting the SQL keyword - Add # comment support to splitMysqlStatements - Set max_execution_time and sql_select_limit session variables to prevent runaway queries and unbounded memory - Add end event listener and cancel connection error listener - Move ORDER BY inside JSON_ARRAYAGG for deterministic column ordering - Use wrapInTransaction for atomic MySQL saves in the frontend - Deduplicate OneShotOptions type across dialect metadata files - Replace old test file with properly named tests covering both functions (25 tests)
Fix statement splitter to handle doubled-quote escapes, add implicit commit detection for DDL, fix sql_select_limit parameterization, add MySQL backslash escaping in quoteLiteral, deduplicate ControllerParams type, use derived-table subqueries for MySQL 8.0 compat, add MySQL dialect to SQL editor and filter popover, fix dependency arrays.
|
💬 Discussion in Slack: #pr-review-infisical-7022-feat-pam-add-mysql-web-access-data-explorer Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
…sh escape in backtick identifiers, add metadata query timeout
MySQL max_execution_time only covers SELECTs. Wrap each user query with a 30s timer that fires KILL QUERY for unbounded DML/DDL.
…add-support-for-mysql-web-access # Conflicts: # frontend/src/pages/pam/PamAccountAccessPage/PamAccountAccessPage.tsx
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d492a75c94
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Contributor
|
| Filename | Overview |
|---|---|
| backend/src/ee/services/pam-web-access/mysql/pam-mysql-connection-controller.ts | New MySQL per-tab connection controller: handles query execution, cancellation via KILL QUERY, transaction state tracking, and error handling. Missing explicit multipleStatements: false (unlike one-shot connection); UNLOCK in implicit-commit set may produce stale UI state. |
| frontend/src/pages/pam/PamDataExplorerPage/sql-generation.ts | Extended SQL generation with MySQL dialect support (backtick quoting, backslash escaping). Backslash doubling in quoteLiteral is incorrect if target MySQL runs with NO_BACKSLASH_ESCAPES mode. |
| backend/src/ee/services/pam-web-access/mysql/pam-mysql-data-explorer-fns.ts | New MySQL statement splitter and command extractor with 30 unit tests. Correctly handles doubled-quote escapes, backtick identifiers, hash comments, block comments, and the MySQL-specific -- comment rule. |
| backend/src/ee/services/pam-web-access/mysql/pam-mysql-data-explorer-metadata.ts | Parameterized information_schema queries for schemas, tables, and full table detail (columns, PKs, FKs) using JSON_OBJECT aggregation. No injection vectors; all user-supplied values are bound parameters. |
| backend/src/ee/services/pam-web-access/pam-data-explorer-session-handler.ts | New shared WebSocket session handler factory extracted from the Postgres implementation; manages connection lifecycle, metadata queuing, and message routing for any SQL dialect. |
| backend/src/ee/services/pam-web-access/mysql/pam-mysql-metadata.ts | One-shot MySQL connection helpers for schema/table enumeration and reachability checks. Explicitly sets multipleStatements: false and max_execution_time. |
| backend/src/ee/services/pam-web-access/mysql/pam-mysql-session-handler.ts | Thin adapter wiring MySQL-specific implementations into the shared createDataExplorerSessionHandler factory. |
| backend/src/ee/services/pam-web-access/pam-session-handlers.ts | Registers MySQL handler alongside existing Postgres and SSH handlers in the session-handler dispatch table. |
| backend/src/ee/services/pam-web-access/postgres/pam-postgres-session-handler.ts | Refactored Postgres session handler now delegates to the shared createDataExplorerSessionHandler factory; no behavioral change. |
| frontend/src/pages/pam/PamDataExplorerPage/PamDataExplorerPage.tsx | Data explorer page now detects MySQL account type and derives the correct dialect and default schema; all existing layout and session logic unchanged. |
| backend/src/ee/services/pam-account/pam-account-schemas.test.ts | Unit test updated to include MySQL in the supported web-access set and assert supportsWebAccess: true for MySQL. |
| backend/src/ee/services/pam-web-access/mysql/pam-mysql-data-explorer-fns.test.ts | Comprehensive test suite (30 cases) for MySQL statement splitting and command extraction covering all comment styles, quoting, escape sequences, and transaction keywords. |
Reviews (1): Last reviewed commit: "Merge remote-tracking branch 'origin/pam..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![veria-ai[bot]](https://avatars.githubusercontent.com/in/1723776?s=60&v=4){kind=small}
Contributor
PR overviewAll previously flagged issues have been addressed. No open security concerns remain on this pull request. Security reviewNo open security issues remain on this pull request. Fixed/addressed: 2 · PR risk: 0/10 |
Replace manual IMPLICIT_COMMIT_COMMANDS set with server-side transaction state detection via DO 0 + SERVER_STATUS_IN_TRANS flag. Covers all implicit commit cases automatically without maintaining a command list.
Prevents users from bypassing the row cap by running SET SESSION sql_select_limit=DEFAULT before a query.
Add supportBigNumbers, bigNumberStrings, and dateStrings options to prevent precision loss on BIGINTs above MAX_SAFE_INTEGER and timezone shifts on date/time columns.
saifsmailbox98
requested changes
Jun 25, 2026
… error handler
Rename backendPid to nativeConnectionId across backend and frontend
for database-agnostic terminology. Add conn.on("error") handler to
MySQL metadata one-shot connections matching the Postgres pattern.
…xplorer components
saifsmailbox98
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Type of change
Test plan
splitMysqlStatementsandextractCommand(30 tests covering doubled-quote escapes, unterminated strings/comments, block comments, all statement types)buildPamAccountTypeMetadatato include MySQL in supported web-access set