public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[v11.0.x] ServerSideExpressions: Disable SQL Expressions to prevent RCE and LFI vulnerability (#94971)

Browse Source 
ServerSideExpressions: Disable SQL Expressions to prevent RCE and LFI vulnerability (#94942)

* disable sql expressions

remove duckdb ref

* Run `make update-workspace`

---------

Co-authored-by: Scott Lepper <scott.lepper@gmail.com>
(cherry picked from commit ea71201ddc)
This commit is contained in:
Sam Jewell
2024-10-18 14:48:48 +01:00
committed by GitHub
parent 10ea008462
commit ceff188b35
7 changed files with 45 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/expr/sql/parser.go
+1 -2
View File
@@ -7,7 +7,6 @@ import (
"strings"
"github.com/jeremywohl/flatten"
"github.com/scottlepp/go-duck/duck"
)
const (
@@ -18,7 +17,7 @@ const (
// TablesList returns a list of tables for the sql statement
func TablesList(rawSQL string) ([]string, error) {
duckDB := duck.NewInMemoryDB()
duckDB := NewInMemoryDB()
rawSQL = strings.Replace(rawSQL, "'", "''", -1)
cmd := fmt.Sprintf("SELECT json_serialize_sql('%s')", rawSQL)
ret, err := duckDB.RunCommands([]string{cmd})