chore: acknowledge the injection

ibis-project · Jan 24, 2025 · 582d535 · 582d535
1 parent 119b542
commit 582d535
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/ibis/backends/mssql/__init__.py b/ibis/backends/mssql/__init__.py
@@ -319,6 +319,13 @@ def _get_schema_using_query(self, query: str) -> sch.Schema:
         # us to pre-filter the columns we want back.
         # The syntax is:
         # `sys.dm_exec_describe_first_result_set(@tsql, @params, @include_browse_information)`
+        #
+        # Yes, this *is* a SQL injection risk, but it's not clear how to avoid
+        # that since we allow users to pass arbitrary SQL.
+        #
+        # SQLGlot has a bug that forces capitalization of
+        # `dm_exec_describe_first_result_set`, so we can't even use its builder
+        # APIs. That doesn't really solve the injection problem though.
         query = f"""
         SELECT
           name,
@@ -330,7 +337,7 @@ def _get_schema_using_query(self, query: str) -> sch.Schema:
           error_message
         FROM sys.dm_exec_describe_first_result_set(N{tsql}, NULL, 0)
         ORDER BY column_ordinal
-        """
+        """  # noqa: S608
         with self._safe_raw_sql(query) as cur:
             rows = cur.fetchall()