opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-30 04:12:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

ServerSideExpressions: Disable SQL Expressions to prevent RCE and LFI vulnerability (#94942)

Browse Source 
* disable sql expressions

remove duckdb ref

* Run `make update-workspace`

---------

Co-authored-by: Scott Lepper <scott.lepper@gmail.com>
This commit is contained in:
Sam Jewell
2024-10-18 11:28:26 +01:00
committed by GitHub
parent cbe1e7d63f
commit ea71201ddc
7 changed files with 47 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/expr/sql/parser.go
View File

@ -8,7 +8,6 @@ import (
"github.com/grafana/grafana/pkg/infra/log"
"github.com/jeremywohl/flatten"
"github.com/scottlepp/go-duck/duck"
)
const (
@ -21,7 +20,7 @@ var logger = log.New("sql_expr")
// TablesList returns a list of tables for the sql statement
func TablesList(rawSQL string) ([]string, error) {
duckDB := duck.NewInMemoryDB()
duckDB := NewInMemoryDB()
rawSQL = strings.Replace(rawSQL, "'", "''", -1)
cmd := fmt.Sprintf("SELECT json_serialize_sql('%s')", rawSQL)
ret, err := duckDB.RunCommands([]string{cmd})