feat: preventing ddl and dml statements from autosubmiting

[vlastahajek]

This pull request introduces improvement of query editor to disable auto submission dangerous queries such as DROP, DELETE, ALTER, ...

• CHANGELOG.md updated with a link to the PR (not the Issue)
• Well-formatted commit messages
• Rebased/mergeable
• Tests pass
• Sign CLA (if not already signed)

[vlastahajek]

PR is now ready for early review.
There is still some work needed:

• excluded statements show 'skipped' when the query is returned to the previous state
• submit button sometimes doesn't submit an excluded query
• Cleaning - remove logging

[karel-rehor]

Preliminary feedback
PR-6105-Testing241010.csv
Preliminary tests raise a few questions. Mainly with content of queryFilter.ts

1. UPDATE statement does not appear in the Influxql documentation.
2. INSERT appears as a keyword but is not documented. When used in the QueryEditor, after clicking submit an error message appears error parsing query: found INSERT, expected SELECT, DELETE, SHOW, CREATE, DROP, EXPLAIN, GRANT, REVOKE, ALTER, SET, KILL at line 1, char 1
3. DELETE statement appears and is documented. The following was attempted, along with variations of specifying the database and measurement: DELETE FROM wellhead.autogen.flow WHERE celsius > 40.0, however when clicking "Submit" the QueryEditor always returns an error of either database not found: or error parsing query: retention policy not supported. Perhaps there's a trick I'm missing or a work around.
4. Maybe the following should be added to this file:
   1. REVOKE
   2. GRANT
   3. SET - not well documented
   4. KILL

https://docs.influxdata.com/enterprise_influxdb/v1/query_language/spec/#keywords

The following non-excluded DQL statements work as expected:

1. SHOW - e.g. SHOW DATABASES or SHOW MEASUREMENTS ON wellhead
2. SELECT - e.g. SELECT * FROM wellhead.autogen.flow

[karel-rehor]

Baseline Test

I've checked a revised test plan against the latest distribution (wget https://download.influxdata.com/chronograf/releases/chronograf_1.10.5_amd64.deb)

The test plan is based on the commands found in queryFilter.ts and suggestions in previous comment

SFL = Submit on Focus Loss (Query Editor)
SRR = Submit automatic on Reload
SBC = Submit on Button Click

Universal Statements: EXPLAIN, SELECT, SHOW
Restricted Statements (Proposed): ALTER, CREATE, DELETE, DROP, GRANT, KILL, INSERT(?), REVOKE, SET, UPDATE(?), USE(*)

(*) DO we want to restrict the USE statement automatically. Statements like USE hosts; SELECT * FROM cpu can be handy.

Universal statements can be submitted arbitrarily on focus change or page reload (to restore state of previous session).

Restricted statements should not be submitted arbitrarily through focus loss or on page reload. FAIL below indicates that such behavior occurred. Still the submit button should work.

Command Type	Tab 1 - SFL	Tab N - SFL	Tab 1 - SRR	Tab N - SRR	Tab 1 - SBC	Tab N - SBC
Universal - SELECT	OK	OK	OK	OK	OK	OK
Restricted - CREATE	FAIL	FAIL	FAIL	FAIL	OK	OK

Command	SFL	SRR	SBC
DROP	FAIL	OK(1)	OK
DELETE	FAIL	FAIL	OK
ALTER	FAIL	FAIL	OK
CREATE	FAIL	FAIL	OK
UPDATE	N/A(2)	N/A	N/A
INSERT	N/A(3)	N/A	N/A
Proposed
GRANT	FAIL	FAIL	OK
REVOKE	FAIL	FAIL	OK
SET	FAIL	FAIL	OK

(1) - DROP Statements disappear on reload
(2) - UPDATE is not listed as a statement in InfluxQL documentation
(3) - INSERT statement results in error message that INSERT not found among supported statements in Chronograph

PR-6105-Testing241014-standard-product.csv

N.B. Should statements SHOW USERS and SHOW GRANTS also be restricted from arbitrary loading for security reasons.

[karel-rehor]

Test of Commit 8808fee

Tested 2024.10.16

Local Build running on port 7777 - to avoid conflicts with product build listening on 8888
Test Env:

• OS - Ubuntu 22.04
• Browser - Opera as a neutral but very stable baseline browser - Opera 114.0.5

SFL = Submit on Focus Loss (Query Editor)
SRR = Submit automatic on Reload
SBC = Submit on Button Click

Universal Statements: EXPLAIN, SELECT, SHOW
Restricted Statements (Proposed): ALTER, CREATE, DELETE, DROP, GRANT, KILL, INSERT(?), REVOKE, SET(3 - below), UPDATE(?), USE

Universal statements can be submitted arbitrarily on focus change or page reload (to restore state of previous session).

Restricted statements should not be submitted arbitrarily through focus loss or on page reload. FAIL below indicates that such behavior occurred. Still the submit button should work.

Command Type	Tab 1 - SFL	Tab N - SFL	Tab 1 - SRR	Tab N - SRR	Tab 1 - SBC	Tab N - SBC
Universal - SELECT	PASS	PASS	PASS	PASS	PASS	PASS
Restricted - CREATE	PASS	PASS	PASS	PASS	PASS	PASS

Restricted Commands

Command	SFL	SRR	SBC
DROP	PASS	PASS	PASS
DELETE	PASS	PASS	PASS
ALTER	PASS	PASS	PASS
CREATE	PASS	PASS	PASS
UPDATE	N/A(1)	N/A	N/A
INSERT	PASS	PASS	PASS(2)
GRANT	PASS	PASS	PASS
REVOKE	PASS	PASS	PASS
USE	PASS	PASS	PASS
SET(3)	FAIL	FAIL	PASS

(1) UPDATE does not appear as a keyword in InfluxQL, however it has been added as a placeholder in the event of future changes.
(2) Test was of USE ephemeral; INSERT gopher,location=pond nuts=42i, so more a second test of the USE statement. INSERT works in CLI influx client, but is not supported in chronograf, which returns the error message error parsing query: found INSERT, expected SELECT, DELETE, SHOW, CREATE, DROP, EXPLAIN, GRANT, REVOKE, ALTER, SET, KILL at line 1, char 1. Indicated as PASS here, because behavior has not changed.
(3) SET can be used to set/change passwords e.g. SET PASSWORD FOR "my-user" = 'SuperSecretPW'. Undesired submits via chronograf could be an issue. Whether this statement should be restricted or not is still up for consideration, but not a blocker to closing this PR.

Universal Commands

Command	SFL	SRR	SBC
SELECT	PASS	PASS	PASS
SHOW	PASS	PASS	PASS

PR-6105-Testing241016-8808fee4.csv

[karel-rehor]

Test of Commit e904a25

Tested 2024.10.21

New Issue

With restricted statements, discovered that after a restricted statement is sent successfully, the statement can then be resubmitted when another statement in another tab is sent, or when another tab is closed. See below COTB-Resub record of test of restricted statements.

Use Case:

1. In tab 1 submit CREATE DATABASE test1 and submit with the submit button
2. In tab 2 submit SHOW DATABASES
3. In tab 3 submit DROP DATABASE test1
4. In influx cli verify database dropped with SHOW DATABASE
5. In Chronograf delete tab 3
6. The statement in tab 1 is resubmitted and the database is recreated

Recommendation

The SET statement should also be restricted.

Test Run Details

Local Build running on port 7777 - to avoid conflicts with product build listening on 8888
Test Env:

• OS - Ubuntu 22.04
• Browser - Opera as a neutral but very stable baseline browser - Opera 114.0.5

SFL = Submit on Focus Loss (Query Editor)
SRR = Submit automatic on Reload
SBC = Submit on Button Click
COTB-Resub = Change in other tab resubmit – means command already sent successfully, and is resubmitted after change in another tab. It is expected that restricted statements will not be resubmitted in this way.

Universal Statements: EXPLAIN, SELECT, SHOW
Restricted Statements (Proposed): ALTER, CREATE, DELETE, DROP, GRANT, KILL, INSERT(?), REVOKE, SET(3 - below), UPDATE(?), USE

Universal statements can be submitted arbitrarily on focus change or page reload (to restore state of previous session).

Restricted statements should not be submitted arbitrarily through focus loss or on page reload. FAIL below indicates that such behavior occurred. Still the submit button should work.

Command Type	Tab 1 - SFL	Tab N - SFL	Tab 1 - SRR	Tab N - SRR	Tab 1 - SBC	Tab N - SBC	COTB-Resub
Universal - SELECT	PASS	PASS	PASS	PASS	PASS	PASS	PASS
Restricted - CREATE	PASS	PASS	PASS	PASS	PASS	PASS	FAIL

Restricted Commands

Command	SFL	SRR	SBC
DROP	PASS	PASS	PASS
DELETE	PASS	PASS	PASS
ALTER	PASS	PASS	PASS
CREATE	PASS	PASS	PASS
UPDATE	N/A(1)	N/A	N/A
INSERT	PASS	PASS	PASS(2)
GRANT	PASS	PASS	PASS
REVOKE	PASS	PASS	PASS
USE	PASS	PASS	PASS
SET(3)	FAIL	FAIL	PASS

(1) UPDATE does not appear as a keyword in InfluxQL, however it has been added as a placeholder in the event of future changes.
(2) Test was of USE ephemeral; INSERT gopher,location=pond nuts=42i, so more a second test of the USE statement. INSERT works in CLI influx client, but is not supported in chronograf, which returns the error message error parsing query: found INSERT, expected SELECT, DELETE, SHOW, CREATE, DROP, EXPLAIN, GRANT, REVOKE, ALTER, SET, KILL at line 1, char 1. Indicated as PASS here, because behavior has not changed.
(3) SET can be used to set/change passwords e.g. SET PASSWORD FOR "my-user" = 'SuperSecretPW'. Undesired submits via chronograf could be an issue. Whether this statement should be restricted or not is still up for consideration, but not a blocker to closing this PR.

Universal Commands

Command	SFL	SRR	SBC
SELECT	PASS	PASS	PASS
SHOW	PASS	PASS	PASS

PR-6105-Testing241021-e904a259.csv

[karel-rehor]

See comment following manual test in general coversation. #6105 (comment)

A new minor issue was uncovered.

[vlastahajek]

Fixed auto-submitting, when no change was done and also when the Refresh button is clicked.

There is still a problem in the query status text in case of an excluded statement is still in the submitted form or returned to the submitted form, but an other statement is submitted. This results in "Unsubmitted" state.

[karel-rehor]

Test of Commit 630d521

Tested 2024.10.23

Previous Issue

See comment from 10.21 above. Seems to work correctly now

Recommendation

The SET statement should also be restricted.

Test Run Details

Local Build running on port 7777 - to avoid conflicts with product build listening on 8888
Test Env:

• OS - Ubuntu 22.04
• Browser - Opera as a neutral but very stable baseline browser - Opera 114.0.5

SFL = Submit on Focus Loss (Query Editor)
SRR = Submit automatic on Reload
SBC = Submit on Button Click
COTB-Resub = Change in other tab resubmit – means command already sent successfully, and is resubmitted after change in another tab. It is expected that restricted statements will not be resubmitted in this way. This also includes a check of the manual refresh button.

Universal Statements: EXPLAIN, SELECT, SHOW
Restricted Statements (Proposed): ALTER, CREATE, DELETE, DROP, GRANT, KILL, INSERT(?), REVOKE, SET(3 - below), UPDATE(?), USE

Universal statements can be submitted arbitrarily on focus change or page reload (to restore state of previous session).

Restricted statements should not be submitted arbitrarily through focus loss or on page reload. FAIL below indicates that such behavior occurred. Still the submit button should work.

Command Type	Tab 1 - SFL	Tab N - SFL	Tab 1 - SRR	Tab N - SRR	Tab 1 - SBC	Tab N - SBC	COTB-Resub
Universal - SELECT	PASS	PASS	PASS	PASS	PASS	PASS	PASS
Restricted - CREATE	PASS	PASS	PASS	PASS	PASS	PASS	PASS

Restricted Commands

Command	SFL	SRR	SBC
DROP	PASS	PASS	PASS
DELETE	PASS	PASS	PASS
ALTER	PASS	PASS	PASS
CREATE	PASS	PASS	PASS
UPDATE	N/A(1)	N/A	N/A
INSERT	PASS	PASS	PASS(2)
GRANT	PASS	PASS	PASS
REVOKE	PASS	PASS	PASS
USE	PASS	PASS	PASS
SET(3)	FAIL	FAIL	PASS

(1) UPDATE does not appear as a keyword in InfluxQL, however it has been added as a placeholder in the event of future changes.
(2) Test was of USE ephemeral; INSERT gopher,location=pond nuts=42i, so more a second test of the USE statement. INSERT works in CLI influx client, but is not supported in chronograf, which returns the error message error parsing query: found INSERT, expected SELECT, DELETE, SHOW, CREATE, DROP, EXPLAIN, GRANT, REVOKE, ALTER, SET, KILL at line 1, char 1. Indicated as PASS here, because behavior has not changed.
(3) SET can be used to set/change passwords e.g. SET PASSWORD FOR "my-user" = 'SuperSecretPW'. Undesired submits via chronograf could be an issue. Whether this statement should be restricted or not is still up for consideration, but not a blocker to closing this PR.

Universal Commands

Command	SFL	SRR	SBC
SELECT	PASS	PASS	PASS
SHOW	PASS	PASS	PASS

PR-6105-Testing241023-630d5211.csv

[vlastahajek]

The correct query state when returning to the resubmitted state has been fixed.
Also, a new issue with clicking on the Time refresh button in the Cell editor after submitting the query resulted in submitting it again was discovered and fixed.
However, the fix could be improved by properly propagating it to the query state hold in the DataExplorer and CellEditorOverlay

[vlastahajek]

PR was updated with better query state management. All issues should be resolved.
It's now read for the final review

[karel-rehor]

Test of Commit 630d521

Tested 2024.11.18

Recommendation

The SET statement should also be restricted.

Test Run Details

Local Build running on port 7777 - to avoid conflicts with product build listening on 8888
Test Env:

• OS - Ubuntu 22.04
• Browser - Opera as a neutral but very stable baseline browser - Opera 114.0.5
• local build - Chronograf 1.10.5 (git: 953bfd4)

SFL = Submit on Focus Loss (Query Editor)
SRR = Submit automatic on Reload
SBC = Submit on Button Click
COTB-Resub = Change in other tab resubmit – means command already sent successfully, and is resubmitted after change in another tab. It is expected that restricted statements will not be resubmitted in this way. This also includes a check of the manual refresh button.

Universal Statements: EXPLAIN, SELECT, SHOW
Restricted Statements (Proposed): ALTER, CREATE, DELETE, DROP, GRANT, KILL, INSERT(?), REVOKE, SET(3 - below), UPDATE(?), USE

Universal statements can be submitted arbitrarily on focus change or page reload (to restore state of previous session).

Restricted statements should not be submitted arbitrarily through focus loss or on page reload. FAIL below indicates that such behavior occurred. Still the submit button should work.

Command Type	Tab 1 - SFL	Tab N - SFL	Tab 1 - SRR	Tab N - SRR	Tab 1 - SBC	Tab N - SBC	COTB-Resub
Universal - SELECT	PASS	PASS	PASS	PASS	PASS	PASS	PASS
Restricted - CREATE	PASS	PASS	PASS	PASS	PASS	PASS	PASS

Restricted Commands

Command	SFL	SRR	SBC
DROP	PASS	PASS	PASS
DELETE	PASS	PASS	PASS
ALTER	PASS	PASS	PASS
CREATE	PASS	PASS	PASS
UPDATE	N/A(1)	N/A	N/A
INSERT	PASS	PASS	PASS(2)
GRANT	PASS	PASS	PASS
REVOKE	PASS	PASS	PASS
USE	PASS	PASS	PASS
SET(3)	FAIL	FAIL	PASS

(1) UPDATE does not appear as a keyword in InfluxQL, however it has been added as a placeholder in the event of future changes.
(2) Test was of USE ephemeral; INSERT gopher,location=pond nuts=42i, so more a second test of the USE statement. INSERT works in CLI influx client, but is not supported in chronograf, which returns the error message error parsing query: found INSERT, expected SELECT, DELETE, SHOW, CREATE, DROP, EXPLAIN, GRANT, REVOKE, ALTER, SET, KILL at line 1, char 1. Indicated as PASS here, because behavior has not changed.
(3) SET can be used to set/change passwords e.g. SET PASSWORD FOR "my-user" = 'SuperSecretPW'. Undesired submits via chronograf could be an issue. Whether this statement should be restricted or not is still up for consideration, but not a blocker to closing this PR.

Universal Commands

Command	SFL	SRR	SBC
SELECT	PASS	PASS	PASS
SHOW	PASS	PASS	PASS
EXPLAIN	PASS	PASS	PASS

Addenda
Refresh button

Test Case	Result State	Notes
Universal command 1 click	OK - submitted	command: SELECT * FROM ephemeral.autogen.cpu
Universal command 2 click	OK - submitted	command: SELECT * FROM ephemeral.autogen.cpu
Restricted command 1 click	OK - not submitted	command: CREATE DATABASE test2
Restricted command 2 click	OK - not submitted	command: CREATE DATABASE test2

PR-6105-Testing241118-953bfd40.ods

[karel-rehor]

Can you take a look at the imports? I'm continuing reviewing the rest of the code.

[vlastahajek]

I changed relative paths to absolute.

[karel-rehor]

Manual tests pass. Changes make general sense. Good to go.