[v11.0.x] ServerSideExpressions: Disable SQL Expressions to prevent RCE and LFI vulnerability (#94971)

ServerSideExpressions: Disable SQL Expressions to prevent RCE and LFI vulnerability (#94942) * disable sql expressions remove duckdb ref * Run `make update-workspace` --------- Co-authored-by: Scott Lepper <scott.lepper@gmail.com> (cherry picked from commit ea71201ddc)
2024-10-18 14:48:48 +01:00
parent 10ea008462
commit ceff188b35
7 changed files with 45 additions and 54 deletions
@@ -125,6 +125,10 @@ func (h *ExpressionQueryReader) ReadQuery(
 		}

 	case QueryTypeSQL:
+		enabled := enableSqlExpressions(h)
+		if !enabled {
+			return eq, fmt.Errorf("sqlExpressions is not implemented")
+		}
 		q := &SQLExpression{}
 		err = iter.ReadVal(q)
 		if err == nil {
@@ -192,3 +196,11 @@ func getReferenceVar(exp string, refId string) (string, error) {
 	}
 	return exp, nil
 }
+
+func enableSqlExpressions(h *ExpressionQueryReader) bool {
+	enabled := !h.features.IsEnabledGlobally(featuremgmt.FlagSqlExpressions)
+	if enabled {
+		return false
+	}
+	return false
+}