[PR] fix(sql): avoid false positives in disallowed function checks [superset]

Wed, 10 Jun 2026 23:43:18 -0700 


LaurinBrechter opened a new pull request, #40963:
URL: https://github.com/apache/superset/pull/40963

   ### SUMMARY
   
   The SQL executor's disallowed-function check used substring matching on the 
raw SQL string, causing false positives when column or table names contained a 
disallowed function name as a substring (e.g. `skilllevel` triggering the 
`kill` blocklist for MySQL).
   
   This change uses `SQLScript.check_functions_present()` — the same AST-based 
approach already used in `sql_lab.py` and `models/helpers.py` — so only actual 
function invocations are blocked.
   
   ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
   
   N/A — backend-only change.
   
   ### TESTING INSTRUCTIONS
   
   1. Configure `DISALLOWED_SQL_FUNCTIONS` with `{"mysql": {"kill"}}` in 
`superset_config.py`
   2. Run a query that references a column like `skilllevel` — it should succeed
   3. Run `SELECT KILL(123)` — it should be rejected with an error mentioning 
`kill`
   4. Run unit tests:
      ```bash
      pytest 
tests/unit_tests/sql/execution/test_executor.py::test_execute_disallowed_function_not_matched_in_identifiers
 
tests/unit_tests/sql/execution/test_executor.py::test_execute_disallowed_mysql_kill_function
 -v
      ```
   
   ### ADDITIONAL INFORMATION
   
   - [ ] Has associated issue:
   - [ ] Required feature flags:
   - [ ] Changes UI
   - [ ] Includes DB Migration (follow approval process in 
[SIP-59](https://github.com/apache/superset/issues/13351))
     - [ ] Migration is atomic, supports rollback & is backwards-compatible
     - [ ] Confirm DB migration upgrade and downgrade tested
     - [ ] Runtime estimates and downtime expectations provided
   - [ ] Introduces new feature or API
   - [ ] Removes existing feature or API
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to