ServerSideExpressions: Disable SQL Expressions to prevent RCE and LFI vulnerability (#94942)

* disable sql expressions remove duckdb ref * Run `make update-workspace` --------- Co-authored-by: Scott Lepper <scott.lepper@gmail.com>
2025-07-29 22:32:24 +08:00 · 2024-10-18 11:28:26 +01:00
parent cbe1e7d63f
commit ea71201ddc
7 changed files with 47 additions and 34 deletions
--- a/pkg/expr/sql_command.go
+++ b/pkg/expr/sql_command.go
@ -7,7 +7,6 @@ import (
 	"time"

 	"github.com/grafana/grafana-plugin-sdk-go/data"
-	"github.com/scottlepp/go-duck/duck"

 	"github.com/grafana/grafana/pkg/apimachinery/errutil"
 	"github.com/grafana/grafana/pkg/expr/mathexp"
@ -94,11 +93,11 @@ func (gr *SQLCommand) Execute(ctx context.Context, now time.Time, vars mathexp.V

 	rsp := mathexp.Results{}

-	duckDB := duck.NewInMemoryDB()
+	db := sql.NewInMemoryDB()
 	var frame = &data.Frame{}

 	logger.Debug("Executing query", "query", gr.query, "frames", len(allFrames))
-	err := duckDB.QueryFramesInto(gr.refID, gr.query, allFrames, frame)
+	err := db.QueryFramesInto(gr.refID, gr.query, allFrames, frame)
 	if err != nil {
 		logger.Error("Failed to query frames", "error", err.Error())
 		rsp.Error = err