Re: [PR] fix(sqllab): apply SQL controls (RLS/DML/disallowed) to cost estimation [superset]

[via GitHub]

bito-code-review[bot] commented on PR #40662:
URL: https://github.com/apache/superset/pull/40662#issuecomment-4598962669

   <!-- Bito Reply -->
   The PR introduces a new method `_apply_sql_security` in `estimate.py` to 
enforce SQL security controls (disallowed functions/tables, DML restrictions, 
and RLS) before cost estimation. This mirrors the execution path in 
`sql_lab.execute_sql_statements` to ensure the cost estimate reflects the same 
constrained query the user would run. The user's comment suggests resolving the 
default schema/catalog before applying RLS to avoid mismatches in table 
resolution, which could impact the accuracy of cost estimates.
   
   **superset/commands/sql_lab/estimate.py**
   ```
   def _apply_sql_security(self, sql: str) -> str:
       """Run the disallowed-function/table, DML and RLS controls against the
       SQL to be estimated, mirroring ``sql_lab.execute_sql_statements``.
   
       Returns the SQL with RLS predicates injected (when ``RLS_IN_SQLLAB`` is
       enabled), so the cost estimate reflects the same constrained query the
       user would actually be allowed to run.
       """
       db_engine_spec = self._database.db_engine_spec
       parsed_script = SQLScript(sql, engine=db_engine_spec.engine)
   
       disallowed_functions = app.config["DISALLOWED_SQL_FUNCTIONS"].get(
           db_engine_spec.engine,
           set(),
       )
       if disallowed_functions and parsed_script.check_functions_present(
           disallowed_functions
       ):
           raise SupersetDisallowedSQLFunctionException(disallowed_functions)
   
       disallowed_tables = app.config["DISALLOWED_SQL_TABLES"].get(
           db_engine_spec.engine,
           set(),
       )
       if disallowed_tables and 
parsed_script.check_tables_present(disallowed_tables):
           found_tables = set()
           for statement in parsed_script.statements:
               present = {table.table.lower() for table in statement.tables}
               for table in disallowed_tables:
                   if table.lower() in present:
                       found_tables.add(table)
           raise SupersetDisallowedSQLTableException(found_tables or 
disallowed_tables)
   
       if parsed_script.has_mutation() and not self._database.allow_dml:
           raise SupersetDMLNotAllowedException()
   
       if is_feature_enabled("RLS_IN_SQLLAB"):
           for statement in parsed_script.statements:
               apply_rls(self._database, self._catalog, self._schema, statement)
           return parsed_script.format()
   
       return sql
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org