Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cluster-ui: add safesql to cluster-ui #96286

Merged
merged 1 commit into from
Feb 6, 2023
Merged

cluster-ui: add safesql to cluster-ui #96286

merged 1 commit into from
Feb 6, 2023

Conversation

THardy98
Copy link

Epic: none

This change ports the safesql package from managed-service to cluster-ui. Safesql ensures that SQL literals/identifiers are properly quoted.

Release note: None

@THardy98 THardy98 requested review from a team January 31, 2023 19:01
@THardy98 THardy98 marked this pull request as draft January 31, 2023 19:01
@cockroach-teamcity
Copy link
Member

This change is Reviewable

matthewtodd
matthewtodd reviewed Feb 1, 2023
View reviewed changes
Copy link
Contributor

@matthewtodd matthewtodd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, @THardy98! Just wanted to double-check: IIUC, this library does (and should) stop short of interpolating arguments to queries, yes? It's strictly for things like user, database, table, and column names? And everything else we'd pass along for the db driver to interpolate -- I think drawing that line limits our security exposure.

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained

THardy98
THardy98 commented Feb 2, 2023
View reviewed changes
Copy link
Author

@THardy98 THardy98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe so yes. The most common use case I've seen being adding identifiers directly to query strings:

safesql.Format(`SELECT * FROM %1.this_is_a_table_name`, safesql.Identifier(`this is my db name`))

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained

@THardy98 THardy98 marked this pull request as ready for review February 2, 2023 19:23
cluster-ui: add safesql to cluster-ui
1403411 
Epic: none

This change ports the `safesql` package from managed-service to
cluster-ui. Safesql ensures that SQL literals/identifiers are properly
quoted.

Release note: None
@THardy98 THardy98 requested review from matthewtodd and a team February 3, 2023 16:46
maryliag
maryliag reviewed Feb 6, 2023
View reviewed changes
Copy link
Contributor

@maryliag maryliag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed all commit messages.
Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @matthewtodd and @THardy98)

pkg/ui/workspaces/cluster-ui/src/api/safesql.ts line 22 at r2 (raw file):

}

// TODO(thomas): @knz says: the quoting rules for usernames are different from

are you addressing this on this PR?

THardy98
THardy98 commented Feb 6, 2023
View reviewed changes
Copy link
Author

@THardy98 THardy98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @maryliag and @matthewtodd)

pkg/ui/workspaces/cluster-ui/src/api/safesql.ts line 22 at r2 (raw file):

Previously, maryliag (Marylia Gutierrez) wrote…

are you addressing this on this PR?

TLDR: no

This was actually an old TODO left by Peter a couple years ago (late 2020) on the corresponding safesql.go in managed-service. I decided to keep it and tag myself here as I've added this. Alternatively, I could omit the TODO altogether.

@THardy98 THardy98 requested a review from maryliag February 6, 2023 15:15
maryliag
maryliag approved these changes Feb 6, 2023
View reviewed changes
Copy link
Contributor

@maryliag maryliag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on @matthewtodd and @THardy98)

pkg/ui/workspaces/cluster-ui/src/api/safesql.ts line 22 at r2 (raw file):

Previously, THardy98 (Thomas Hardy) wrote…

TLDR: no

This was actually an old TODO left by Peter a couple years ago (late 2020) on the corresponding safesql.go in managed-service. I decided to keep it and tag myself here as I've added this. Alternatively, I could omit the TODO altogether.

You can keep it, np!

@THardy98
Copy link
Author

THardy98 commented Feb 6, 2023

TYFR :)

@THardy98
Copy link
Author

THardy98 commented Feb 6, 2023

bors r+

@craig
Copy link
Contributor

craig bot commented Feb 6, 2023

Build succeeded:

@craig craig bot merged commit 4ab6b68 into cockroachdb:master Feb 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maryliag maryliag maryliag approved these changes

@matthewtodd matthewtodd Awaiting requested review from matthewtodd

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@THardy98 @cockroach-teamcity @matthewtodd @maryliag