[MediaWiki-commits] [Gerrit] Add super minimal query checking - change (analytics...web)

Thu, 31 Jul 2014 20:20:46 -0700 

jenkins-bot has submitted this change and it was merged.

Change subject: Add super minimal query checking
......................................................................


Add super minimal query checking

Change-Id: Ie62aab5be3525c73a30bccc929643b76227e9b5f
---
M quarry/web/app.py
A quarry/web/sqlactions.py
2 files changed, 19 insertions(+), 2 deletions(-)

Approvals:
  Yuvipanda: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/quarry/web/app.py b/quarry/web/app.py
index 81050b0..fbf5715 100644
--- a/quarry/web/app.py
+++ b/quarry/web/app.py
@@ -12,6 +12,7 @@
 from celery.utils.log import get_task_logger
 from redissession import RedisSessionInterface
 from mwoauth import ConsumerToken, Handshaker
+from sqlactions import check_sql
 
 
 app = Flask(__name__)
@@ -82,9 +83,13 @@
         qrun = QueryRun.get_by_id(query_run_id)
         qrun.status = QueryRun.STATUS_RUNNING
         qrun.save()
-        start_time = time.clock()
-        cur = g.replica.cursor()
         try:
+            check_result = check_sql(qrun.query_rev.text)
+            start_time = time.clock()
+            cur = g.replica.cursor()
+            if check_result is not True:
+                celery_log.info("Check result for qrun:%s failed, with 
message: %s", qrun.id, check_result[0])
+                raise pymysql.DatabaseError(0, check_result[1])
             cur.execute(qrun.query_rev.text)
             result = []
             result.append(make_result(cur))
diff --git a/quarry/web/sqlactions.py b/quarry/web/sqlactions.py
new file mode 100644
index 0000000..993dcac
--- /dev/null
+++ b/quarry/web/sqlactions.py
@@ -0,0 +1,12 @@
+def check_sql(sql):
+    """Check if given SQL is ok to execute.
+    Super minimal and stupid right now, and should never
+    be considered 'authoritative'. Will probably always be
+    easily cirumventible by dedicated trolls, but should keep
+    the merely clueless out"""
+    if 'information_schema' in sql:
+        # According to springle hitting this db can fuck
+        # things up for everyone, and it isn't easy to
+        # restrict access to this from mysql
+        return ("Hitting information_schema", "Unauthorized access to 
restricted database")
+    return True

-- 
To view, visit https://gerrit.wikimedia.org/r/151008
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ie62aab5be3525c73a30bccc929643b76227e9b5f
Gerrit-PatchSet: 2
Gerrit-Project: analytics/quarry/web
Gerrit-Branch: master
Gerrit-Owner: Yuvipanda <[email protected]>
Gerrit-Reviewer: Yuvipanda <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to