Gate process plugins via api.GenerateOptions.InsecureProcessPluginNames

Add an explicit allowlist of process-based plugin names to
api.GenerateOptions. Generate fails before any parse or codegen runs if
the configuration declares a process plugin whose name is not in the
list. The "Insecure" prefix mirrors crypto/tls.Config.InsecureSkipVerify
to flag the trust decision callers are making — process plugins execute
arbitrary local commands.

The CLI populates the allowlist by scanning the user's own config for
declared process plugins, so `sqlc generate`, `sqlc compile`, and
`sqlc diff` keep working. SQLCDEBUG=processplugins=0 still disables
process plugins by leaving the allowlist nil.

https://claude.ai/code/session_01RCzB2JR5Y5ScFDUmwcxGVZ

Author: claude

internal/api/generate.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"path/filepath"
+	"slices"
 	"strings"
 	"sync"
 
@@ -33,6 +34,15 @@ type GenerateOptions struct {
 	// on disk and writes a unified diff for differences to Stderr. If any
 	// differences are found, an error is appended to GenerateResult.Errors.
 	Diff bool
+
+	// InsecureProcessPluginNames is the allowlist of process-based plugin
+	// names that Generate is permitted to invoke. Any process plugin declared
+	// in the configuration whose name is not in this list causes Generate to
+	// fail before parsing or codegen runs. Process plugins execute arbitrary
+	// local commands; the "Insecure" prefix mirrors
+	// crypto/tls.Config.InsecureSkipVerify as a reminder that callers must
+	// consciously trust each plugin name they pass here.
+	InsecureProcessPluginNames []string
 }
 
 // GenerateResult is the outcome of a Generate call. Files maps absolute output
@@ -72,6 +82,18 @@ func Generate(ctx context.Context, opts GenerateOptions) GenerateResult {
 		return res
 	}
 
+	for _, plug := range conf.Plugins {
+		if plug.Process == nil {
+			continue
+		}
+		if !slices.Contains(opts.InsecureProcessPluginNames, plug.Name) {
+			err := fmt.Errorf("process plugin %q is not in InsecureProcessPluginNames; refusing to run", plug.Name)
+			fmt.Fprintf(stderr, "error validating %s: %s\n", base, err)
+			res.Errors = append(res.Errors, err)
+			return res
+		}
+	}
+
 	g := &generator{
 		dir:    opts.Dir,
 		output: map[string]string{},

internal/cmd/cmd.go

@@ -182,18 +182,35 @@ func getConfigPath(stderr io.Writer, f *pflag.Flag) (string, string) {
 	}
 }
 
+// allowedProcessPluginNames returns the set of process plugin names the CLI
+// trusts to run. SQLCDEBUG=processplugins=0 disables every process plugin by
+// returning nil; otherwise we trust whatever the user declared in their own
+// config.
+func allowedProcessPluginNames(env Env, stderr io.Writer, dir, name string) []string {
+	if !env.Debug.ProcessPlugins {
+		return nil
+	}
+	names, err := processPluginNames(stderr, dir, name)
+	if err != nil {
+		os.Exit(1)
+	}
+	return names
+}
+
 var genCmd = &cobra.Command{
 	Use:   "generate",
 	Short: "Generate source code from SQL",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		defer trace.StartRegion(cmd.Context(), "generate").End()
 		stderr := cmd.ErrOrStderr()
 		dir, name := getConfigPath(stderr, cmd.Flag("file"))
+		env := ParseEnv(cmd)
 		res := api.Generate(cmd.Context(), api.GenerateOptions{
-			Dir:    dir,
-			File:   name,
-			Stderr: stderr,
-			Write:  true,
+			Dir:                        dir,
+			File:                       name,
+			Stderr:                     stderr,
+			Write:                      true,
+			InsecureProcessPluginNames: allowedProcessPluginNames(env, stderr, dir, name),
 		})
 		if len(res.Errors) > 0 {
 			os.Exit(1)
@@ -209,10 +226,12 @@ var checkCmd = &cobra.Command{
 		defer trace.StartRegion(cmd.Context(), "compile").End()
 		stderr := cmd.ErrOrStderr()
 		dir, name := getConfigPath(stderr, cmd.Flag("file"))
+		env := ParseEnv(cmd)
 		res := api.Generate(cmd.Context(), api.GenerateOptions{
-			Dir:    dir,
-			File:   name,
-			Stderr: stderr,
+			Dir:                        dir,
+			File:                       name,
+			Stderr:                     stderr,
+			InsecureProcessPluginNames: allowedProcessPluginNames(env, stderr, dir, name),
 		})
 		if len(res.Errors) > 0 {
 			os.Exit(1)
@@ -228,11 +247,13 @@ var diffCmd = &cobra.Command{
 		defer trace.StartRegion(cmd.Context(), "diff").End()
 		stderr := cmd.ErrOrStderr()
 		dir, name := getConfigPath(stderr, cmd.Flag("file"))
+		env := ParseEnv(cmd)
 		res := api.Generate(cmd.Context(), api.GenerateOptions{
-			Dir:    dir,
-			File:   name,
-			Stderr: stderr,
-			Diff:   true,
+			Dir:                        dir,
+			File:                       name,
+			Stderr:                     stderr,
+			Diff:                       true,
+			InsecureProcessPluginNames: allowedProcessPluginNames(env, stderr, dir, name),
 		})
 		if len(res.Errors) > 0 {
 			os.Exit(1)

internal/cmd/generate.go

@@ -106,6 +106,25 @@ func readConfig(stderr io.Writer, dir, filename string) (string, *config.Config,
 	return configPath, &conf, nil
 }
 
+// processPluginNames returns the names of every process-based plugin declared
+// in the sqlc configuration at dir/filename. The CLI passes the result to
+// api.GenerateOptions.InsecureProcessPluginNames so commands run by the user
+// (who wrote the config) can invoke any plugin they declared, while library
+// callers are still required to opt in explicitly.
+func processPluginNames(stderr io.Writer, dir, filename string) ([]string, error) {
+	_, conf, err := readConfig(stderr, dir, filename)
+	if err != nil {
+		return nil, err
+	}
+	var names []string
+	for _, p := range conf.Plugins {
+		if p.Process != nil {
+			names = append(names, p.Name)
+		}
+	}
+	return names, nil
+}
+
 func parse(ctx context.Context, name, dir string, sql config.SQL, combo config.CombinedSettings, parserOpts opts.Parser, stderr io.Writer) (*compiler.Result, bool) {
 	defer trace.StartRegion(ctx, "parse").End()
 	c, err := compiler.NewCompiler(sql, combo, parserOpts)