superset-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [incubator-superset] DiggidyDave commented on a change in pull request #7422: [WIP] Add `validate_sql_json` endpoint for checking that a given sql query is valid for the chosen database
Date Thu, 02 May 2019 19:13:07 GMT
DiggidyDave commented on a change in pull request #7422: [WIP] Add `validate_sql_json` endpoint
for checking that a given sql query is valid for the chosen database
URL: https://github.com/apache/incubator-superset/pull/7422#discussion_r280558819
 
 

 ##########
 File path: superset/views/core.py
 ##########
 @@ -2503,6 +2504,61 @@ def stop_query(self):
             pass
         return self.json_response('OK')
 
+    @has_access_api
+    @expose('/validate_sql_json/', methods=['POST', 'GET'])
+    @log_this
+    def validate_sql_json(self):
+        """Validates that arbitrary sql is acceptable for the given database.
+        Returns a list of error/warning annotations as json.
+        """
+        sql = request.form.get('sql')
+        database_id = request.form.get('database_id')
+        schema = request.form.get('schema') or None
+        template_params = json.loads(
+            request.form.get('templateParams') or '{}')
+
+        if len(template_params) > 0:
+            # TODO: factor the Database object out of template rendering
+            #       or provide it as mydb so we can render template params
+            #       without having to also persist a Query ORM object.
+            return json_error_response(
+                'SQL validation does not support template parameters')
+
+        session = db.session()
+        mydb = session.query(models.Database).filter_by(id=database_id).first()
+        if not mydb:
+            json_error_response(
+                'Database with id {} is missing.'.format(database_id))
+
+        spec = mydb.db_engine_spec
+        if not spec.engine in SQL_VALIDATORS_BY_ENGINE:
+            return json_error_response(
+                'no SQL validator is configured for {}'.format(spec.engine))
+        validator = SQL_VALIDATORS_BY_ENGINE[spec.engine]
+
+        try:
+            timeout = config.get('SQLLAB_VALIDATION_TIMEOUT')
+            timeout_msg = (
+                f'The query exceeded the {timeout} seconds timeout.')
+            with utils.timeout(seconds=timeout,
+                                error_message=timeout_msg):
+                errors = validator.validate(sql, schema, mydb)
+            payload = json.dumps(
+                [err.to_dict() for err in errors],
+                default=utils.pessimistic_json_iso_dttm_ser,
+                ignore_nan=True,
+                encoding=None,
+            )
+            return json_success(payload)
+        except Exception as e:
+            logging.exception(e)
+            msg = _(
+                'Failed to validate your SQL query text. Please check that '
+                f'you have configured the {validator.name} validator '
+                'correctly and that any services it depends on are up. '
+                f'Exception: {e}')
+            return json_error_response(f'{msg}')
 
 Review comment:
   I'm actually pretty concerned about this... this would allow any user to just spam the
backend with bad queries and wake up an on-call at 2am.  Can the validator itself make the
distinction between an upstream 500 response from the db and a "couldn't parse" problem? 
 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org


Mime
View raw message