Skip to content

Commit

Permalink
Making sure that queries containing a colon execute alright
Browse files Browse the repository at this point in the history
  • Loading branch information
@mistercrunch
mistercrunch committed May 18, 2017
1 parent dbc7fef commit 2b9d2b7
Show file tree
Hide file tree
Showing 5 changed files with 32 additions and 8 deletions.
3 changes: 1 addition & 2 deletions superset/connectors/sqla/models.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,7 @@
)
import sqlalchemy as sa
from sqlalchemy import asc, and_, desc, select
from sqlalchemy.ext.compiler import compiles
from sqlalchemy.sql.expression import ColumnClause, TextAsFrom
from sqlalchemy.sql.expression import TextAsFrom
from sqlalchemy.orm import backref, relationship
from sqlalchemy.sql import table, literal_column, text, column

Expand Down
2 changes: 1 addition & 1 deletion superset/db_engine_specs.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,7 @@ def get_table_names(cls, schema, inspector):

class MySQLEngineSpec(BaseEngineSpec):
engine = 'mysql'
cursor_execute_kwargs = {'args': {}}
cursor_execute_kwargs = {'args': None}
time_grains = (
Grain('Time Column', _('Time Column'), '{col}'),
Grain("second", _('second'), "DATE_ADD(DATE({col}), "
Expand Down
2 changes: 2 additions & 0 deletions superset/jinja_context.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,8 @@ def process_template(self, sql, **kwargs):
>>> process_template(sql)
"SELECT '2017-01-01T00:00:00'"
"""
# Escaping colon
sql = sql.replace(':', '\:')
template = self.env.from_string(sql)
kwargs.update(self.context)
return template.render(kwargs)
Expand Down
26 changes: 21 additions & 5 deletions tests/core_tests.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@

class CoreTests(SupersetTestCase):

"""A set of core tests for Superset"""

requires_examples = True

def __init__(self, *args, **kwargs):
Expand Down Expand Up @@ -83,7 +85,23 @@ def test_slice_json_endpoint(self):

json_endpoint = (
'/superset/explore_json/{}/{}?form_data={}'
.format(slc.datasource_type, slc.datasource_id, json.dumps(slc.viz.form_data))
.format(
slc.datasource_type,
slc.datasource_id,
json.dumps(slc.viz.form_data))
)
resp = self.get_resp(json_endpoint)
assert '"Jennifer"' in resp

def test_json_endpoint_escaping(self):
self.login(username='admin')
slc = self.get_slice("Girls", db.session)
fd = slc.viz.form_data
fd['where'] = "name NOT LIKE '%:super%'"

json_endpoint = (
'/superset/explore_json/{}/{}?form_data={}'
.format(slc.datasource_type, slc.datasource_id, json.dumps(fd))
)
resp = self.get_resp(json_endpoint)
assert '"Jennifer"' in resp
Expand Down Expand Up @@ -141,8 +159,7 @@ def test_save_slice(self):

form_data = {
'viz_type': 'sankey',
'groupby': 'source',
'groupby': 'target',
'groupby': ['source', 'target'],
'metric': 'sum__value',
'row_limit': 5000,
'slice_id': slice_id,
Expand All @@ -163,8 +180,7 @@ def test_save_slice(self):

form_data = {
'viz_type': 'sankey',
'groupby': 'source',
'groupby': 'target',
'groupby': ['source', 'target'],
'metric': 'sum__value',
'row_limit': 5000,
'slice_id': new_slice_id,
Expand Down
7 changes: 7 additions & 0 deletions tests/sqllab_tests.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,13 @@ def test_sql_json(self):
data = self.run_sql('SELECT * FROM unexistant_table', "2")
self.assertLess(0, len(data['error']))

def test_sql_json_escaping(self):
self.login('admin')

data = self.run_sql(
"SELECT count(1) FROM ab_user WHERE username like '%:test%'", "3")
self.assertEquals(0, len(data['data']))

def test_sql_json_has_access(self):
main_db = self.get_main_database(db.session)
sm.add_permission_view_menu('database_access', main_db.perm)
Expand Down

0 comments on commit 2b9d2b7

Please sign in to comment.