fix: adds the ability to disallow SQL functions per engine#28639
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #28639 +/- ##
===========================================
+ Coverage 60.48% 83.43% +22.94%
===========================================
Files 1931 523 -1408
Lines 76236 37605 -38631
Branches 8568 0 -8568
===========================================
- Hits 46114 31377 -14737
+ Misses 28017 6228 -21789
+ Partials 2105 0 -2105
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
dosubot
Bot
added
data:databases
| try: | ||
| cls.execute(cursor, sql, query.database) | ||
| with app.app_context(): | ||
| cls.execute(cursor, sql, query.database) |
There was a problem hiding this comment.
threads don't have an app context: https://stackoverflow.com/questions/72541670/why-flask-app-context-is-lost-in-child-thread-when-application-factory-pattern-i
| try: | ||
| cls.execute(cursor, sql, query.database) | ||
| with app.app_context(): | ||
| cls.execute(cursor, sql, query.database) |
| :param function_list: The list of functions to search for | ||
| :param engine: The engine to use for parsing the SQL statement | ||
| """ | ||
| return ParsedQuery(sql, engine=engine).check_functions_exist(function_list) |
There was a problem hiding this comment.
We (probably me) will have to convert this to use sqlglot and the SQLStatement class (#26786) but I'm happy to do it, seems simple enough.
There was a problem hiding this comment.
Happy to do it myself, can I just not use sqlparse? implement something using the same pattern as extract_tables_from_statement?
| # A set of disallowed SQL functions per engine. This is used to restrict the use of | ||
| # unsafe SQL functions in SQL Lab and Charts. The keys of the dictionary are the engine | ||
| # names, and the values are sets of disallowed functions. | ||
| DISALLOWED_SQL_FUNCTIONS: dict[str, set[str]] = { |
There was a problem hiding this comment.
I'm unsure where the best place for this deny list, i.e., here in the configuration or within the extra JSON payload of the database.
Additionally should this be engine (dialect) specific or database specific? If it's the later then maybe the extra JSON payload field is preferable.
There was a problem hiding this comment.
JSON payload at the database level is more dynamic and would avoid having to change the config to add remove disallowed functions. But on the other hand the user that actually registers the db could have intentions to "abuse" these functions.
michael-s-molina
added
the
v4.0
mistercrunch
added
🍒 4.0.2
* fix(permalink): adding anchor to dashboard permalink generation (apache#28744) * fix: filters not updating with force update when caching is enabled (apache#29291) (cherry picked from commit 527f1d2) * fix(sqllab): invalid empty state on switch tab (apache#29278) * fix(metastore-cache): prune before add (apache#29301) (cherry picked from commit 172ddb4) * fix: Remove recursive repr call (apache#29314) (cherry picked from commit 9444c6b) * fix: Cannot delete empty column inside a tab using the dashboard editor (apache#29346) (cherry picked from commit ee52277) * fix(explore): restored hidden field values has discarded (apache#29349) (cherry picked from commit 160cece) * chore: Rename Totals to Summary in table chart (apache#29360) * fix(revert 27883): Excess padding in horizontal Bar charts (apache#29345) (cherry picked from commit 708afb7) * fix(explore): don't respect y-axis formatting (apache#29367) * fix: adds the ability to disallow SQL functions per engine (apache#28639) * chore: Adds 4.0.2 RC2 data to CHANGELOG.md * fixes * frontend fixes * fix: cache api --------- Co-authored-by: Jack <41238731+fisjac@users.noreply.github.com> Co-authored-by: ka-weihe <k@weihe.dk> Co-authored-by: JUST.in DO IT <justin.park@airbnb.com> Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com> Co-authored-by: Jessie R <j@scjr.me> Co-authored-by: Michael S. Molina <70410625+michael-s-molina@users.noreply.github.com> Co-authored-by: Daniel Vaz Gaspar <danielvazgaspar@gmail.com> Co-authored-by: Michael S. Molina <michael.s.molina@gmail.com>
6 participants
SUMMARY
Adds a new configuration key named
DISALLOWED_SQL_FUNCTIONSthat defines disallowed function per engine on SQL statements. These functions will be disallowed on SQLLab and Charts.BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION