fix: avoid escaping bind-like params containing colons (#17419)

* fix: avoid escaping bind-like params containing colons * fix query for mysql * address comments
2026-04-20 08:34:37 +00:00 · 2021-11-13 09:01:49 +02:00
parent aa8040ec9b
commit ad8a7c42f9
3 changed files with 72 additions and 36 deletions
--- a/superset/utils/core.py
+++ b/superset/utils/core.py
@@ -81,7 +81,6 @@ from sqlalchemy import event, exc, inspect, select, Text
 from sqlalchemy.dialects.mysql import MEDIUMTEXT
 from sqlalchemy.engine import Connection, Engine
 from sqlalchemy.engine.reflection import Inspector
-from sqlalchemy.sql.elements import TextClause
 from sqlalchemy.sql.type_api import Variant
 from sqlalchemy.types import TEXT, TypeDecorator, TypeEngine
 from typing_extensions import TypedDict, TypeGuard
@@ -132,8 +131,6 @@ JS_MAX_INTEGER = 9007199254740991  # Largest int Java Script can handle 2^53-1

 InputType = TypeVar("InputType")

-BIND_PARAM_REGEX = TextClause._bind_params_regex  # pylint: disable=protected-access
-

 class LenientEnum(Enum):
    """Enums with a `get` method that convert a enum value to `Enum` if it is a
@@ -1771,29 +1768,3 @@ def apply_max_row_limit(limit: int, max_limit: Optional[int] = None,) -> int:
    if limit != 0:
        return min(max_limit, limit)
    return max_limit
-
-
-def escape_sqla_query_binds(sql: str) -> str:
-    """
-    Replace strings in a query that SQLAlchemy would otherwise interpret as
-    bind parameters.
-
-    :param sql: unescaped query string
-    :return: escaped query string
-    >>> escape_sqla_query_binds("select ':foo'")
-    "select '\\\\:foo'"
-    >>> escape_sqla_query_binds("select 'foo'::TIMESTAMP")
-    "select 'foo'::TIMESTAMP"
-    >>> escape_sqla_query_binds("select ':foo :bar'::TIMESTAMP")
-    "select '\\\\:foo \\\\:bar'::TIMESTAMP"
-    >>> escape_sqla_query_binds("select ':foo :foo :bar'::TIMESTAMP")
-    "select '\\\\:foo \\\\:foo \\\\:bar'::TIMESTAMP"
-    """
-    matches = BIND_PARAM_REGEX.finditer(sql)
-    processed_binds = set()
-    for match in matches:
-        bind = match.group(0)
-        if bind not in processed_binds:
-            sql = sql.replace(bind, bind.replace(":", "\\:"))
-            processed_binds.add(bind)
-    return sql