Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: is_select #25189

Merged
merged 2 commits into from
Sep 6, 2023
Merged

fix: is_select #25189

merged 2 commits into from
Sep 6, 2023

Conversation

betodealmeida
Copy link
Member

SUMMARY

The SQLParse.is_select method checks only the first statement of a query. Currently this is not an issue because it only gets called on a per-statement basis in superset/sql_lab.py.py (via the DB engine spec is_select_query method), but it could potentially cause security issues in the future if the method is called on a query with multiple statements:

>>> from superset.sql_parse import ParsedQuery
>>> ParsedQuery("SELECT 1; DROP DATABASE superset").is_select()
True
>>>

This PR fixes the method so it checks for every statement. Existing code should run as-is.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@betodealmeida betodealmeida merged commit 2f68010 into master Sep 6, 2023
54 checks passed
darwinsubramaniam pushed a commit to darwinsubramaniam/superset that referenced this pull request Sep 7, 2023
@betodealmeida @darwinsubramaniam
fix: is_select (apache#25189)
7cc33cf
@michael-s-molina michael-s-molina added the v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch label Sep 7, 2023
michael-s-molina pushed a commit that referenced this pull request Sep 7, 2023
@betodealmeida @michael-s-molina
fix: is_select (#25189)
2ac03c3 
(cherry picked from commit 2f68010)
sebastiankruk added a commit to sebastiankruk/superset that referenced this pull request Sep 9, 2023
@sebastiankruk @sandeep-patel11
@hughhhh @michael-s-molina @cmontemuino @dpgaspar @eschutho @justinpark @sfirke @betodealmeida @giftig @kgabryje @yousoph @villebro
sync (#160)
4463d38 
* fix: Issue apache#24493; Resolved report selection menu in chart and dashboard page (apache#25157)

* fix: DML failures in SQL Lab (apache#25190)

* fix: All values being selected in Select (apache#25202)

* docs: fix wrong type in PREFERRED_DATABASES example (apache#25200)

Signed-off-by: cmontemuino <1761056+cmontemuino@users.noreply.github.com>

* docs: add CVEs for 2.1.1 (apache#25206)

* chore: back port 2.1.1 doc changes (apache#25165)

* feat(sqllab): Show sql in the current result (apache#24787)

* docs(FAQ): add answer re: necessary specs, copy-edit existing answer (apache#24992)

* fix: `is_select` (apache#25189)

* fix: Cypress test to force mouseover (apache#25209)

* fix(sqllab): Force trino client async execution (apache#24859)

* fix: granularity_sqla and GENERIC_CHART_AXES (apache#25213)

* chore: Convert deckgl class components to functional (apache#25177)

* fix: Cypress test to force mouseover (follow-up) (apache#25223)

* fix(docs): Fixing a typo in README.md (apache#25216)

* chore(read_csv): remove deprecated argument (apache#25226)

* chore(trino): remove unnecessary index checks (apache#25211)

---------

Signed-off-by: cmontemuino <1761056+cmontemuino@users.noreply.github.com>
Co-authored-by: Sandeep Patel <33354423+suicide11@users.noreply.github.com>
Co-authored-by: Hugh A. Miles II <hughmil3s@gmail.com>
Co-authored-by: Michael S. Molina <70410625+michael-s-molina@users.noreply.github.com>
Co-authored-by: Carlos M <1761056+cmontemuino@users.noreply.github.com>
Co-authored-by: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Co-authored-by: Elizabeth Thompson <eschutho@gmail.com>
Co-authored-by: JUST.in DO IT <justin.park@airbnb.com>
Co-authored-by: Sam Firke <sfirke@users.noreply.github.com>
Co-authored-by: Beto Dealmeida <roberto@dealmeida.net>
Co-authored-by: Rob Moore <giftig@users.noreply.github.com>
Co-authored-by: Kamil Gabryjelski <kamil.gabryjelski@gmail.com>
Co-authored-by: yousoph <sophieyou12@gmail.com>
Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
cccs-rc pushed a commit to CybercentreCanada/superset that referenced this pull request Mar 6, 2024
@betodealmeida
fix: is_select (apache#25189)
fa9216e
@mistercrunch mistercrunch added 🍒 3.0.0 🍒 3.0.1 🍒 3.0.2 🍒 3.0.3 🍒 3.0.4 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 3.1.0 labels Mar 8, 2024
@mistercrunch mistercrunch deleted the fix_is_select branch March 26, 2024 18:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hughhhh hughhhh hughhhh approved these changes

@john-bodley john-bodley Awaiting requested review from john-bodley

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/M v3.0 Label added by the release manager to track PRs to be included in the 3.0 branch 🍒 3.0.0 🍒 3.0.1 🍒 3.0.2 🍒 3.0.3 🍒 3.0.4 🚢 3.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@betodealmeida @hughhhh @mistercrunch @michael-s-molina