suddjian commented on a change in pull request #19055:
URL: https://github.com/apache/superset/pull/19055#discussion_r822964917
##########
File path: tests/unit_tests/sql_parse_tests.py
##########
@@ -1189,3 +1193,169 @@ def test_sqlparse_issue_652():
stmt = sqlparse.parse(r"foo = '\' AND bar = 'baz'")[0]
assert len(stmt.tokens) == 5
assert str(stmt.tokens[0]) == "foo = '\\'"
+
+
[email protected](
+ "sql,expected",
+ [
+ ("SELECT * FROM table", True),
+ ("SELECT a FROM (SELECT 1 AS a) JOIN (SELECT * FROM table)", True),
+ ("(SELECT COUNT(DISTINCT name) AS foo FROM birth_names)", True),
+ ("COUNT(*)", False),
+ ("SELECT a FROM (SELECT 1 AS a)", False),
+ ("SELECT a FROM (SELECT 1 AS a) JOIN table", True),
+ ("SELECT * FROM (SELECT 1 AS foo, 2 AS bar) ORDER BY foo ASC, bar",
False),
+ ("SELECT * FROM other_table", True),
+ ],
+)
+def test_has_table_query(sql: str, expected: bool) -> None:
+ """
+ Test if a given statement queries a table.
+
+ This is used to prevent ad-hoc metrics from querying unauthorized tables,
bypassing
+ row-level security.
+ """
+ statement = sqlparse.parse(sql)[0]
+ assert has_table_query(statement) == expected
+
+
[email protected](
+ "sql,table,rls,expected",
+ [
+ # append RLS to an existing WHERE clause
+ (
+ "SELECT * FROM other_table WHERE 1=1",
+ "other_table",
+ "id=42",
+ "SELECT * FROM other_table WHERE 1=1 AND other_table.id=42",
+ ),
+ # "table" is a reserved word; since sqlparse is too aggressive when
characterizing
+ # reserved words we need to support them even when not quoted
Review comment:
good catch, damn
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
