Skip to content

Commit

Permalink
fix: Validate jinja rendered query (#22851)
Browse files Browse the repository at this point in the history
  • Loading branch information
geido authored Feb 21, 2023
1 parent 5482f78 commit c7823e3
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 1 deletion.
6 changes: 5 additions & 1 deletion superset/sqllab/commands/execute.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
# pylint: disable=too-few-public-methods, too-many-arguments
from __future__ import annotations

import copy
import logging
from typing import Any, Dict, Optional, TYPE_CHECKING

Expand Down Expand Up @@ -142,9 +143,12 @@ def _run_sql_json_exec_from_scratch(self) -> SqlJsonExecutionStatus:
self._save_new_query(query)
try:
logger.info("Triggering query_id: %i", query.id)
self._validate_access(query)

self._execution_context.set_query(query)
rendered_query = self._sql_query_render.render(self._execution_context)
validate_rendered_query = copy.copy(query)
validate_rendered_query.sql = rendered_query
self._validate_access(validate_rendered_query)
self._set_query_limit_if_required(rendered_query)
self._query_dao.update(
query, {"limit": self._execution_context.query.limit}
Expand Down
32 changes: 32 additions & 0 deletions tests/integration_tests/sqllab_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -736,6 +736,38 @@ def test_sql_json_parameter_error(self):
"undefined_parameters": ["stat"],
}

@pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
@mock.patch.dict(
"superset.extensions.feature_flag_manager._feature_flags",
{"ENABLE_TEMPLATE_PROCESSING": True},
clear=True,
)
def test_sql_json_parameter_authorized(self):
self.login("admin")

data = self.run_sql(
"SELECT name FROM {{ table }} LIMIT 10",
"3",
template_params=json.dumps({"table": "birth_names"}),
)
assert data["status"] == "success"

@pytest.mark.usefixtures("load_birth_names_dashboard_with_slices")
@mock.patch.dict(
"superset.extensions.feature_flag_manager._feature_flags",
{"ENABLE_TEMPLATE_PROCESSING": True},
clear=True,
)
def test_sql_json_parameter_forbidden(self):
self.login("gamma")

data = self.run_sql(
"SELECT name FROM {{ table }} LIMIT 10",
"4",
template_params=json.dumps({"table": "birth_names"}),
)
assert data["errors"][0]["error_type"] == "GENERIC_BACKEND_ERROR"

@mock.patch("superset.sql_lab.get_query")
@mock.patch("superset.sql_lab.execute_sql_statement")
def test_execute_sql_statements(self, mock_execute_sql_statement, mock_get_query):
Expand Down

0 comments on commit c7823e3

Please sign in to comment.