[v11.3.x] ServerSideExpressions: Disable SQL Expressions to prevent RCE and LFI vulnerability (#94955)

ServerSideExpressions: Disable SQL Expressions to prevent RCE and LFI vulnerability (#94942) * disable sql expressions remove duckdb ref * Run `make update-workspace` --------- Co-authored-by: Scott Lepper <scott.lepper@gmail.com> (cherry picked from commit ea71201ddc)
2024-10-18 12:46:53 +01:00
parent 4a800ace30
commit df57ba1b70
7 changed files with 51 additions and 35 deletions
@@ -8,7 +8,6 @@ import (

 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/jeremywohl/flatten"
-	"github.com/scottlepp/go-duck/duck"
 )

 const (
@@ -21,7 +20,7 @@ var logger = log.New("sql_expr")

 // TablesList returns a list of tables for the sql statement
 func TablesList(rawSQL string) ([]string, error) {
-	duckDB := duck.NewInMemoryDB()
+	duckDB := NewInMemoryDB()
 	rawSQL = strings.Replace(rawSQL, "'", "''", -1)
 	cmd := fmt.Sprintf("SELECT json_serialize_sql('%s')", rawSQL)
 	ret, err := duckDB.RunCommands([]string{cmd})