sha174n opened a new pull request, #40245: URL: https://github.com/apache/superset/pull/40245
### SUMMARY Two related improvements to CTAS (Create Table As Select) identifier handling in SQL Lab: 1. **Quoted identifiers in `as_create_table()`** — `SQLStatement.as_create_table()` in `superset/sql/parse.py` now constructs the target table expression using `quoted=True` on all three identifier components (table, schema, catalog). sqlglot wraps quoted identifiers in dialect-specific delimiters (`"…"` for PostgreSQL/Trino/Snowflake, `` `…` `` for MySQL), which prevents any metacharacters in the identifier from being interpreted as SQL syntax. 2. **Format validation on `tmp_table_name`** — Both `ExecutePayloadSchema` (`superset/sqllab/schemas.py`) and `SqlJsonPayloadSchema` (`superset/views/sql_lab/schemas.py`) now validate `tmp_table_name` against `^[A-Za-z_][A-Za-z0-9_]*$`. This is the exact character set of a bare SQL identifier. The auto-generated fallback name (e.g. `tmp_1_table_2026_05_19_10_30_00`) already satisfies this pattern so normal usage is unaffected. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — SQL Lab API change. ### TESTING INSTRUCTIONS 1. Start Superset locally. 2. In SQL Lab, run a SELECT query with **Save results** → **Results to new table** enabled. 3. Use a valid table name (e.g. `my_results`) — should succeed as before. 4. Submit the same request with `tmp_table_name` containing special characters (e.g. `foo; DROP TABLE bar; --`) — should now return HTTP 422 with a validation error instead of passing through to the database. 5. Run `pytest tests/unit_tests/sql/parse_tests.py -k as_create_table` — all tests pass. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
