Add argument to disable autojoin on demand. #35
Conversation
There was a problem hiding this comment.
Hi @bodik, thank you for all the proposals!
Can I ask what the use case behind this addition is? I am wondering when you would like not to "auto join", considering that you are providing multiple models and filters for them.
I'll take a look at the rest of the PRs as soon as I can.
The exact use-case comes from my current project, the filter condition is taken from client input (https://github.com/bodik/sner4/blob/master/sner/server/templates/storage/vuln/list.html#L52), the syntax of the filter is handled by parser with defined grammar (https://github.com/bodik/sner4/blob/master/sner/server/sqlafilter.py#L52) and parsed filter specification/tree is finally used to filter out listing results (https://github.com/bodik/sner4/blob/master/sner/server/controller/storage/vuln.py#L62) The queried fields are specified in code so they could not be altered by the malicious input, but the implicit auto-join feature will result in joining any user specified table to the query. Despite the user cannot change the output values per-se, I guess there might be some side effects to infer some information with the technique. In this particular user-case, |
bodik
force-pushed
the
feature-can_disable_autojoin
branch
from
aa1517e
to
1892f40
Compare
something like 1892f40 ? |
When passing filters parsed from client request it might be desirable to disable auto join feature on demand. Please consider the simple patch.