Move parameters merging to the backend and make it safe
See original GitHub issueCurrently the way parameters work in Redash is that we use the query text as a Mustache template and merge the parameter values with it before running the query.
This very simple implementation has one major issue: it’s open to SQL injections. It’s a non issue when a “regular” Redash user uses parameters, as they can run any query anyway. But it limits the use of parameters to users with full access to the data source.
To provide any user with the ability to use parameters, we need to change our implementation to make it safe and SQL injections proof.
The idea is:
- Change the API to handle all parameters merging in the backend (today we send the final query from frontend).
- Make the API safe.
While every database driver we use (that supports DB-API) has its own way of taking query text with parameters, it’s better that we find a single way that is DB agnostic. Also need to remember that some of our datasources take queries as JSON/YAML.
It’s also preferable that we can support current parameters syntax ({{ parameter }}
), but we don’t have to support the full range of Mustache functions (although it can be nice).
Some “prior art” that might be useful:
Issue Analytics
- State:
- Created 5 years ago
- Reactions:5
- Comments:14 (13 by maintainers)
Top GitHub Comments
@shinsuke-nara we ended up implementing validation of parameters on the backend. Read only users can now use parameters except for the text parameter type, which isn’t safe as we can’t validate it at the moment.
Once we are done with enabling parameters in various scenarios, we will get back to allowing the use of text parameters. Either by passing them to the query runner or sanitizing them ourselves.
Are you referring to injections via the WHERE clause only? Because I think all the other clauses are susceptible to SQL injection. (
select 1; drop table midgets
)