QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-04-17 15:15:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): Add table blocklist and fix MCP SQL validation bypass (#37411)

Browse Source
This commit is contained in:
Amin Ghadersohi
2026-02-09 08:12:06 -05:00
committed by GitHub
parent 2b411b32ba
commit 15b3c96f8e
7 changed files with 238 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
tests/unit_tests/sql/parse_tests.py
View File

@@ -2942,6 +2942,39 @@ def test_check_functions_present(sql: str, engine: str, expected: bool) -> None:
assert SQLScript(sql, engine).check_functions_present(functions) == expected
@pytest.mark.parametrize(
"sql, engine, expected",
[
("SELECT * FROM my_table", "postgresql", False),
("SELECT * FROM pg_stat_activity", "postgresql", True),
("SELECT * FROM PG_STAT_ACTIVITY", "postgresql", True),
("SELECT * FROM pg_roles", "postgresql", True),
(
"WITH cte AS (SELECT 1) SELECT * FROM cte",
"postgresql",
False,
),
(
"SELECT * FROM my_table; SELECT * FROM pg_settings",
"postgresql",
True,
),
(
"SELECT * FROM schema.pg_stat_activity",
"postgresql",
True,
),
("Table | limit 10", "kustokql", False),
],
)
def test_check_tables_present(sql: str, engine: str, expected: bool) -> None:
"""
Check the `check_tables_present` method.
"""
tables = {"pg_stat_activity", "pg_roles", "pg_settings"}
assert SQLScript(sql, engine).check_tables_present(tables) == expected
@pytest.mark.parametrize(
"kql, expected",
[