[v11.0.x] ServerSideExpressions: Disable SQL Expressions to prevent RCE and LFI vulnerability (#94971)
ServerSideExpressions: Disable SQL Expressions to prevent RCE and LFI vulnerability (#94942)
* disable sql expressions
remove duckdb ref
* Run `make update-workspace`
---------
Co-authored-by: Scott Lepper <scott.lepper@gmail.com>
(cherry picked from commit ea71201ddc)
This commit is contained in:
Sam Jewell
GitHub
@@ -125,6 +125,10 @@ func (h *ExpressionQueryReader) ReadQuery(
|
||||
}
|
||||
|
||||
case QueryTypeSQL:
|
||||
enabled := enableSqlExpressions(h)
|
||||
if !enabled {
|
||||
return eq, fmt.Errorf("sqlExpressions is not implemented")
|
||||
}
|
||||
q := &SQLExpression{}
|
||||
err = iter.ReadVal(q)
|
||||
if err == nil {
|
||||
@@ -192,3 +196,11 @@ func getReferenceVar(exp string, refId string) (string, error) {
|
||||
}
|
||||
return exp, nil
|
||||
}
|
||||
|
||||
func enableSqlExpressions(h *ExpressionQueryReader) bool {
|
||||
enabled := !h.features.IsEnabledGlobally(featuremgmt.FlagSqlExpressions)
|
||||
if enabled {
|
||||
return false
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
@@ -0,0 +1,26 @@
|
||||
package sql
|
||||
|
||||
import (
|
||||
"errors"
|
||||
|
||||
"github.com/grafana/grafana-plugin-sdk-go/data"
|
||||
)
|
||||
|
||||
type DB struct {
|
||||
}
|
||||
|
||||
func (db *DB) TablesList(rawSQL string) ([]string, error) {
|
||||
return nil, errors.New("not implemented")
|
||||
}
|
||||
|
||||
func (db *DB) RunCommands(commands []string) (string, error) {
|
||||
return "", errors.New("not implemented")
|
||||
}
|
||||
|
||||
func (db *DB) QueryFramesInto(name string, query string, frames []*data.Frame, f *data.Frame) error {
|
||||
return errors.New("not implemented")
|
||||
}
|
||||
|
||||
func NewInMemoryDB() *DB {
|
||||
return &DB{}
|
||||
}
|
||||
@@ -7,7 +7,6 @@ import (
|
||||
"strings"
|
||||
|
||||
"github.com/jeremywohl/flatten"
|
||||
"github.com/scottlepp/go-duck/duck"
|
||||
)
|
||||
|
||||
const (
|
||||
@@ -18,7 +17,7 @@ const (
|
||||
|
||||
// TablesList returns a list of tables for the sql statement
|
||||
func TablesList(rawSQL string) ([]string, error) {
|
||||
duckDB := duck.NewInMemoryDB()
|
||||
duckDB := NewInMemoryDB()
|
||||
rawSQL = strings.Replace(rawSQL, "'", "''", -1)
|
||||
cmd := fmt.Sprintf("SELECT json_serialize_sql('%s')", rawSQL)
|
||||
ret, err := duckDB.RunCommands([]string{cmd})
|
||||
|
||||
@@ -7,7 +7,6 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/grafana/grafana-plugin-sdk-go/data"
|
||||
"github.com/scottlepp/go-duck/duck"
|
||||
|
||||
"github.com/grafana/grafana/pkg/expr/mathexp"
|
||||
"github.com/grafana/grafana/pkg/expr/sql"
|
||||
@@ -85,9 +84,9 @@ func (gr *SQLCommand) Execute(ctx context.Context, now time.Time, vars mathexp.V
|
||||
|
||||
rsp := mathexp.Results{}
|
||||
|
||||
duckDB := duck.NewInMemoryDB()
|
||||
db := sql.NewInMemoryDB()
|
||||
var frame = &data.Frame{}
|
||||
err := duckDB.QueryFramesInto(gr.refID, gr.query, allFrames, frame)
|
||||
err := db.QueryFramesInto(gr.refID, gr.query, allFrames, frame)
|
||||
if err != nil {
|
||||
rsp.Error = err
|
||||
return rsp, nil
|
||||
|
||||
Reference in New Issue
Block a user