Databases

shellfirm covers destructive database operations across five check groups: database (generic SQL), psql (PostgreSQL), mysql (MySQL), mongodb (MongoDB), and redis (Redis).

Generic SQL checks (database)

These checks match standard SQL statements regardless of which database client you use. Patterns are case-insensitive.

DROP DATABASE

ID	database:drop_database
Severity	Critical

-- Triggers
DROP DATABASE customers;
drop database myapp;

DROP TABLE

ID	database:drop_table
Severity	Critical

-- Triggers
DROP TABLE users;
drop table orders;

TRUNCATE TABLE

ID	database:truncate_table
Severity	Critical

-- Triggers
TRUNCATE TABLE sessions;
truncate table logs;

DELETE without WHERE

ID	database:delete_all_rows
Severity	Critical
Filters	NotContains WHERE, NotContains where
Alternative	DELETE FROM <table> WHERE <condition> -- always include a WHERE clause

-- Triggers
DELETE FROM users;
delete from orders;

-- Does NOT trigger (has WHERE clause)
DELETE FROM users WHERE id = 5;
delete from orders where status = 'cancelled';

UPDATE without WHERE

ID	database:update_all_rows
Severity	High
Filters	NotContains WHERE, NotContains where

-- Triggers
UPDATE users SET active = false;
update orders set status = 'cancelled';

-- Does NOT trigger
UPDATE users SET active = false WHERE created_at < '2024-01-01';

PostgreSQL checks (psql)

DROP via psql CLI

ID	psql:drop
Severity	Critical

# Triggers
psql -c "DROP DATABASE myapp"
psql -h localhost -c "DROP TABLE users"

MySQL checks (mysql)

DROP via mysql CLI

ID	mysql:drop
Severity	Critical

# Triggers
mysql -e "DROP DATABASE myapp"
mysql -u root -e "DROP TABLE users"

MongoDB checks (mongodb)

Drop via mongosh CLI

ID	mongodb:drop
Severity	Critical

# Triggers
mongosh --eval "db.users.drop()"
mongo --eval "db.dropDatabase()"

Interactive drop collection

ID	mongodb:interactive_drop_collection
Severity	Critical

Caught when using shellfirm wrap with a MongoDB session:

// Triggers (in interactive mongosh session)
db.users.drop()
db.orders.drop()

Interactive drop database

ID	mongodb:interactive_drop_database
Severity	Critical

// Triggers (in interactive mongosh session)
db.dropDatabase()

Redis checks (redis)

FLUSHALL via CLI

ID	redis:flushall
Severity	Critical
Alternative	redis-cli FLUSHDB -- only clears the current database, not all databases

# Triggers
redis-cli FLUSHALL

FLUSHDB via CLI

ID	redis:flushdb
Severity	High

# Triggers
redis-cli FLUSHDB

Interactive Redis commands

These patterns are caught when using shellfirm wrap with a Redis session:

ID	Command	Severity
redis:interactive_flushall	FLUSHALL	Critical
redis:interactive_flushdb	FLUSHDB	High
redis:interactive_shutdown	SHUTDOWN or SHUTDOWN NOSAVE	Critical

Summary table

ID	Command	Severity	Filters
database:drop_database	DROP DATABASE	Critical	--
database:drop_table	DROP TABLE	Critical	--
database:truncate_table	TRUNCATE TABLE	Critical	--
database:delete_all_rows	DELETE FROM (no WHERE)	Critical	NotContains WHERE
database:update_all_rows	UPDATE SET (no WHERE)	High	NotContains WHERE
psql:drop	psql -c DROP	Critical	--
mysql:drop	mysql -e DROP	Critical	--
mongodb:drop	mongosh --eval drop	Critical	--
mongodb:interactive_drop_collection	db.collection.drop()	Critical	--
mongodb:interactive_drop_database	db.dropDatabase()	Critical	--
redis:flushall	redis-cli FLUSHALL	Critical	--
redis:flushdb	redis-cli FLUSHDB	High	--
redis:interactive_flushall	FLUSHALL (interactive)	Critical	--
redis:interactive_flushdb	FLUSHDB (interactive)	High	--
redis:interactive_shutdown	SHUTDOWN (interactive)	Critical	--

Interactive database sessions

The MongoDB and Redis interactive patterns are designed to work with shellfirm wrap, which creates a PTY proxy around your database client. See Interactive Wrapper for setup instructions.