Merge pull request ClickHouse#90105 from ClickHouse/backport/25.8/89942

alexey-milovidov · web-flow · commit 0bcbdd28b9a1 · 2025-11-17T15:00:39.000+01:00
Backport ClickHouse#89942 to 25.8: Fix escaping for some `SHOW` queries
diff --git a/src/Databases/SQLite/DatabaseSQLite.cpp b/src/Databases/SQLite/DatabaseSQLite.cpp
@@ -16,6 +16,7 @@
 #include <Parsers/ASTFunction.h>
 #include <Storages/StorageSQLite.h>
 #include <Databases/SQLite/SQLiteUtils.h>
+#include <Common/quoteString.h>
 
 
 namespace DB
@@ -104,7 +105,7 @@ bool DatabaseSQLite::checkSQLiteTable(const String & table_name) const
     if (!sqlite_db)
         sqlite_db = openSQLiteDB(database_path, getContext(), /* throw_on_error */true);
 
-    const String query = fmt::format("SELECT name FROM sqlite_master WHERE type='table' AND name='{}';", table_name);
+    const String query = "SELECT name FROM sqlite_master WHERE type = 'table' AND name = " + quoteStringSQLite(table_name) + ";";
 
     auto callback_get_data = [](void * res, int, char **, char **) -> int
     {
diff --git a/src/Interpreters/InterpreterShowColumnsQuery.cpp b/src/Interpreters/InterpreterShowColumnsQuery.cpp
@@ -76,8 +76,8 @@ WITH map(
         'String',      '{}',
         'FixedString', '{}') AS native_to_mysql_mapping,
         )",
-        remap_string_as_text ? "TEXT" : "BLOB",
-        remap_fixed_string_as_text ? "TEXT" : "BLOB");
+            remap_string_as_text ? "TEXT" : "BLOB",
+            remap_fixed_string_as_text ? "TEXT" : "BLOB");
 
         rewritten_query += R"(
         splitByRegexp('\(|\)', type_) AS split,
@@ -127,7 +127,8 @@ SELECT
     '' AS privileges )";
     }
 
-    rewritten_query += fmt::format(R"(
+    rewritten_query += fmt::format(
+        R"(
 -- need to rename columns of the base table to avoid "CYCLIC_ALIASES" errors
 FROM (SELECT name AS name_,
              database AS database_,
@@ -141,7 +142,9 @@ FROM (SELECT name AS name_,
       FROM system.columns)
 WHERE
     database_ = '{}'
-    AND table_ = '{}' )", database, table);
+    AND table_ = '{}' )",
+        database,
+        table);
 
     if (!query.like.empty())
     {
@@ -152,7 +155,7 @@ WHERE
             rewritten_query += "ILIKE ";
         else
             rewritten_query += "LIKE ";
-        rewritten_query += fmt::format("'{}'", query.like);
+        rewritten_query += quoteString(query.like);
     }
     else if (query.where_expression)
         rewritten_query += fmt::format(" AND ({})", query.where_expression->formatWithSecretsOneLine());
diff --git a/src/Interpreters/InterpreterShowFunctionsQuery.cpp b/src/Interpreters/InterpreterShowFunctionsQuery.cpp
@@ -5,6 +5,7 @@
 #include <Interpreters/InterpreterShowFunctionsQuery.h>
 #include <Interpreters/executeQuery.h>
 #include <Parsers/ASTShowFunctionsQuery.h>
+#include <Common/quoteString.h>
 
 namespace DB
 {
@@ -38,7 +39,7 @@ FROM {}.{})",
     {
         rewritten_query += " WHERE name ";
         rewritten_query += query.case_insensitive_like ? "ILIKE " : "LIKE ";
-        rewritten_query += fmt::format("'{}'", query.like);
+        rewritten_query += quoteString(query.like);
     }
 
     return rewritten_query;
diff --git a/tests/queries/0_stateless/03714_queries_escaping_1.reference b/tests/queries/0_stateless/03714_queries_escaping_1.reference
diff --git a/tests/queries/0_stateless/03714_queries_escaping_1.sql b/tests/queries/0_stateless/03714_queries_escaping_1.sql
@@ -0,0 +1 @@
+show columns from a.b like 'a\' or 1=1;--'
diff --git a/tests/queries/0_stateless/03714_queries_escaping_2.reference b/tests/queries/0_stateless/03714_queries_escaping_2.reference
diff --git a/tests/queries/0_stateless/03714_queries_escaping_2.sql b/tests/queries/0_stateless/03714_queries_escaping_2.sql
@@ -0,0 +1 @@
+show functions like 'a\' or 1=1;--'
diff --git a/tests/queries/0_stateless/03714_queries_escaping_3.reference b/tests/queries/0_stateless/03714_queries_escaping_3.reference
@@ -0,0 +1,2 @@
+1
+0
diff --git a/tests/queries/0_stateless/03714_queries_escaping_3.sh b/tests/queries/0_stateless/03714_queries_escaping_3.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# Tags: no-fasttest, no-parallel
+# no-parallel: dealing with an SQLite database makes concurrent SHOW TABLES queries fail sporadically with the "database is locked" error.
+
+CUR_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+# shellcheck source=../shell_config.sh
+. "$CUR_DIR"/../shell_config.sh
+
+export CURR_DATABASE="test_03714_sqllite_${CLICKHOUSE_DATABASE}"
+
+DB_PATH=${USER_FILES_PATH}/${CURR_DATABASE}_db1
+
+function cleanup()
+{
+    ${CLICKHOUSE_CLIENT} --query="DROP DATABASE IF EXISTS ${CURR_DATABASE}"
+}
+trap cleanup EXIT
+
+
+sqlite3 "${DB_PATH}" 'DROP TABLE IF EXISTS table1'
+
+sqlite3 "${DB_PATH}" 'CREATE TABLE table1 (col1 text, col2 smallint);'
+
+chmod ugo+w "${DB_PATH}"
+
+sqlite3 "${DB_PATH}" "INSERT INTO table1 VALUES ('line1', 1), ('line2', 2), ('line3', 3)"
+
+${CLICKHOUSE_CLIENT} --query="CREATE DATABASE ${CURR_DATABASE} ENGINE = SQLite('${DB_PATH}')"
+
+${CLICKHOUSE_CLIENT} --query="EXISTS TABLE ${CURR_DATABASE}.table1;"
+${CLICKHOUSE_CLIENT} --query="EXISTS TABLE ${CURR_DATABASE}.\"a\' or name='table1\";"
+
+
+${CLICKHOUSE_CLIENT} --query="DROP DATABASE IF EXISTS ${CURR_DATABASE}"

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`#include <Interpreters/InterpreterShowFunctionsQuery.h>`
`6`	`6`	`#include <Interpreters/executeQuery.h>`
`7`	`7`	`#include <Parsers/ASTShowFunctionsQuery.h>`
	`8`	`+#include <Common/quoteString.h>`
`8`	`9`
`9`	`10`	`namespace DB`
`10`	`11`	`{`
`@@ -38,7 +39,7 @@ FROM {}.{})",`
`38`	`39`	`{`
`39`	`40`	`rewritten_query += " WHERE name ";`
`40`	`41`	`rewritten_query += query.case_insensitive_like ? "ILIKE " : "LIKE ";`
`41`		`- rewritten_query += fmt::format("'{}'", query.like);`
	`42`	`+ rewritten_query += quoteString(query.like);`
`42`	`43`	`}`
`43`	`44`
`44`	`45`	`return rewritten_query;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+show columns from a.b like 'a\' or 1=1;--'`