[GitHub] [airflow] ashb commented on a change in pull request #21551: Add ability to pass config parameters to postgres operator

GitBox Tue, 15 Feb 2022 10:49:06 -0800


ashb commented on a change in pull request #21551:
URL: https://github.com/apache/airflow/pull/21551#discussion_r806664237




##########
File path: airflow/providers/postgres/example_dags/example_postgres.py
##########
@@ -70,8 +70,9 @@
             BETWEEN SYMMETRIC DATE '{{ params.begin_date }}' AND DATE '{{ 
params.end_date }}';
             """,
         params={'begin_date': '2020-01-01', 'end_date': '2020-12-31'},

Review comment:
       This example is wrong (not your change, but oops)
   
   ```suggestion
           parameters={'begin_date': '2020-01-01', 'end_date': '2020-12-31'},
   ```

##########
File path: airflow/providers/postgres/operators/postgres.py
##########
@@ -60,10 +61,17 @@ def __init__(
         self.autocommit = autocommit
         self.parameters = parameters
         self.database = database
+        self.runtime_parameters = runtime_parameters
         self.hook: Optional[PostgresHook] = None
 
     def execute(self, context: 'Context'):
         self.hook = PostgresHook(postgres_conn_id=self.postgres_conn_id, 
schema=self.database)
+        if self.runtime_parameters:
+            set_param_sql = [f"SET {param} TO '{val}'; " for param, val in 
self.runtime_parameters.items()]

Review comment:
       This feels prone to SQL injection. We should use SQLAlchemy constructs 
here to ensure we are not.

##########
File path: airflow/providers/postgres/example_dags/example_postgres.py
##########
@@ -70,8 +70,9 @@
             BETWEEN SYMMETRIC DATE '{{ params.begin_date }}' AND DATE '{{ 
params.end_date }}';
             """,
         params={'begin_date': '2020-01-01', 'end_date': '2020-12-31'},

Review comment:
       Oh yeah, Better would be to use parameters so that we don't risk SQLI:
   
   ```
               BETWEEN SYMMETRIC DATE :begin_date: AND DATE :end_date:';
               """,
           parameters={'begin_date': '2020-01-01', 'end_date': '2020-12-31'},
   ```
   (untested)

##########
File path: airflow/providers/postgres/example_dags/example_postgres.py
##########
@@ -70,8 +70,9 @@
             BETWEEN SYMMETRIC DATE '{{ params.begin_date }}' AND DATE '{{ 
params.end_date }}';
             """,
         params={'begin_date': '2020-01-01', 'end_date': '2020-12-31'},

Review comment:
       Oh yeah, Better (if we want to keep it parameterized at all) would be to 
use parameters so that we don't risk SQLI:
   
   ```
               BETWEEN SYMMETRIC DATE :begin_date: AND DATE :end_date:';
               """,
           parameters={'begin_date': '2020-01-01', 'end_date': '2020-12-31'},
   ```
   (untested)




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [airflow] ashb commented on a change in pull request #21551: Add ability to pass config parameters to postgres operator

Reply via email to