From 8ab94e15538caba4ef7498ea26649535df27016e Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 2 Oct 2024 15:55:34 +0000
Subject: [PATCH] apply security patch: v11.2.x/182-202409301509.patch

commit a5445cf0c8e05c807cc2c77eac9fd1cc06cf83aa
Author: Scott Lepper <scott.lepper@gmail.com>
Date:   Mon Sep 30 11:08:17 2024 -0400

    disable sql expressions
---
 pkg/expr/sql/db.go      | 26 ++++++++++++++++++++++++++
 pkg/expr/sql/parser.go  |  3 +--
 pkg/expr/sql_command.go |  3 +--
 3 files changed, 28 insertions(+), 4 deletions(-)
 create mode 100644 pkg/expr/sql/db.go

diff --git a/pkg/expr/sql/db.go b/pkg/expr/sql/db.go
new file mode 100644
index 00000000000..1e7aca0c1b6
--- /dev/null
+++ b/pkg/expr/sql/db.go
@@ -0,0 +1,26 @@
+package sql
+
+import (
+	"errors"
+
+	"github.com/grafana/grafana-plugin-sdk-go/data"
+)
+
+type DB struct {
+}
+
+func (db *DB) TablesList(rawSQL string) ([]string, error) {
+	return nil, errors.New("not implemented")
+}
+
+func (db *DB) RunCommands(commands []string) (string, error) {
+	return "", errors.New("not implemented")
+}
+
+func (db *DB) QueryFramesInto(name string, query string, frames []*data.Frame, f *data.Frame) error {
+	return errors.New("not implemented")
+}
+
+func NewInMemoryDB() *DB {
+	return &DB{}
+}
diff --git a/pkg/expr/sql/parser.go b/pkg/expr/sql/parser.go
index 809bbe96f9b..a5ca1fb6f5b 100644
--- a/pkg/expr/sql/parser.go
+++ b/pkg/expr/sql/parser.go
@@ -8,7 +8,6 @@ import (
 
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/jeremywohl/flatten"
-	"github.com/scottlepp/go-duck/duck"
 )
 
 const (
@@ -21,7 +20,7 @@ var logger = log.New("sql_expr")
 
 // TablesList returns a list of tables for the sql statement
 func TablesList(rawSQL string) ([]string, error) {
-	duckDB := duck.NewInMemoryDB()
+	duckDB := NewInMemoryDB()
 	rawSQL = strings.Replace(rawSQL, "'", "''", -1)
 	cmd := fmt.Sprintf("SELECT json_serialize_sql('%s')", rawSQL)
 	ret, err := duckDB.RunCommands([]string{cmd})
diff --git a/pkg/expr/sql_command.go b/pkg/expr/sql_command.go
index 05636f79ffc..cfb8e0edafd 100644
--- a/pkg/expr/sql_command.go
+++ b/pkg/expr/sql_command.go
@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/grafana/grafana-plugin-sdk-go/data"
-	"github.com/scottlepp/go-duck/duck"
 
 	"github.com/grafana/grafana/pkg/apimachinery/errutil"
 	"github.com/grafana/grafana/pkg/expr/mathexp"
@@ -94,7 +93,7 @@ func (gr *SQLCommand) Execute(ctx context.Context, now time.Time, vars mathexp.V
 
 	rsp := mathexp.Results{}
 
-	duckDB := duck.NewInMemoryDB()
+	duckDB := sql.NewInMemoryDB()
 	var frame = &data.Frame{}
 
 	logger.Debug("Executing query", "query", gr.query, "frames", len(allFrames))