Add support for validating SQL queries with the WITH clause and extend unit tests (#1327)

zaleslaw · web-flow · commit 105307223ea5 · 2025-07-16T19:28:40.000+02:00
diff --git a/dataframe-jdbc/src/main/kotlin/org/jetbrains/kotlinx/dataframe/io/readJdbc.kt b/dataframe-jdbc/src/main/kotlin/org/jetbrains/kotlinx/dataframe/io/readJdbc.kt
@@ -557,6 +557,11 @@ private fun hasForbiddenPatterns(input: String): Boolean {
     return false
 }
 
+/**
+ * Allowed list of SQL operators
+ */
+private val ALLOWED_SQL_OPERATORS = listOf("SELECT", "WITH", "VALUES", "TABLE")
+
 /**
  * Validates if the SQL query is safe and starts with SELECT.
  * Ensures a proper syntax structure, checks for balanced quotes, and disallows dangerous commands or patterns.
@@ -567,9 +572,11 @@ private fun isValidSqlQuery(sqlQuery: String): Boolean {
     // Log the query being validated
     logger.warn { "Validating SQL query: '$sqlQuery'" }
 
-    // Ensure the query starts with "SELECT"
-    if (!normalizedSqlQuery.startsWith("SELECT")) {
-        logger.error { "Validation failed: The SQL query must start with 'SELECT'. Given query: '$sqlQuery'." }
+    // Ensure the query starts from one of the allowed SQL operators
+    if (ALLOWED_SQL_OPERATORS.none { normalizedSqlQuery.startsWith(it) }) {
+        logger.error {
+            "Validation failed: The SQL query must start with one of: $ALLOWED_SQL_OPERATORS. Given query: '$sqlQuery'."
+        }
         return false
     }
 
diff --git a/dataframe-jdbc/src/test/kotlin/org/jetbrains/kotlinx/dataframe/io/h2/postgresH2Test.kt b/dataframe-jdbc/src/test/kotlin/org/jetbrains/kotlinx/dataframe/io/h2/postgresH2Test.kt
@@ -78,69 +78,75 @@ class PostgresH2Test {
             connection = DriverManager.getConnection(URL)
 
             @Language("SQL")
-            val createTableStatement = """
+            val createTableStatement =
+                """
                 CREATE TABLE IF NOT EXISTS table1 (
-                id serial PRIMARY KEY,
-                bigintCol bigint not null,
-                smallintCol smallint not null,
-                bigserialCol bigserial not null,
-                booleanCol boolean not null,
-                byteaCol bytea not null,
-                characterCol character not null,
-                characterNCol character(10) not null,
-                charCol char not null,
-                dateCol date not null,
-                doubleCol double precision not null,
-                integerCol integer,
-                intArrayCol integer array,
-                doubleArrayCol double precision array,
-                dateArrayCol date array,
-                textArrayCol text array,
-                booleanArrayCol boolean array
-            )
-            """
+                    id serial PRIMARY KEY,
+                    bigintCol bigint not null,
+                    smallintCol smallint not null,
+                    bigserialCol bigserial not null,
+                    booleanCol boolean not null,
+                    byteaCol bytea not null,
+                    characterCol character not null,
+                    characterNCol character(10) not null,
+                    charCol char not null,
+                    dateCol date not null,
+                    doubleCol double precision not null,
+                    integerCol integer,
+                    intArrayCol integer array,
+                    doubleArrayCol double precision array,
+                    dateArrayCol date array,
+                    textArrayCol text array,
+                    booleanArrayCol boolean array
+                )
+                """.trimIndent()
+
             connection.createStatement().execute(createTableStatement.trimIndent())
 
             @Language("SQL")
-            val createTableQuery = """
+            val createTableQuery =
+                """
                 CREATE TABLE IF NOT EXISTS table2 (
-                id serial PRIMARY KEY,
-                moneyCol money not null,
-                numericCol numeric not null,
-                realCol real not null,
-                smallintCol smallint not null,
-                serialCol serial not null,
-                textCol text,
-                timeCol time not null,
-                timeWithZoneCol time with time zone not null,
-                timestampCol timestamp not null,
-                timestampWithZoneCol timestamp with time zone not null,
-                uuidCol uuid not null
-            )
-            """
+                    id serial PRIMARY KEY,
+                    moneyCol money not null,
+                    numericCol numeric not null,
+                    realCol real not null,
+                    smallintCol smallint not null,
+                    serialCol serial not null,
+                    textCol text,
+                    timeCol time not null,
+                    timeWithZoneCol time with time zone not null,
+                    timestampCol timestamp not null,
+                    timestampWithZoneCol timestamp with time zone not null,
+                    uuidCol uuid not null
+                )
+                """.trimIndent()
+
             connection.createStatement().execute(createTableQuery.trimIndent())
 
             @Language("SQL")
-            val insertData1 = """
-            INSERT INTO table1 (
-                bigintCol, smallintCol, bigserialCol,  booleanCol, 
-                byteaCol, characterCol, characterNCol, charCol, 
-                dateCol, doubleCol, 
-                integerCol, intArrayCol,
-                doubleArrayCol, dateArrayCol, textArrayCol, booleanArrayCol
-            ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-            """
+            val insertData1 =
+                """
+                INSERT INTO table1 (
+                    bigintCol, smallintCol, bigserialCol,  booleanCol, 
+                    byteaCol, characterCol, characterNCol, charCol, 
+                    dateCol, doubleCol, 
+                    integerCol, intArrayCol,
+                    doubleArrayCol, dateArrayCol, textArrayCol, booleanArrayCol
+                ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+                """.trimIndent()
 
             @Language("SQL")
-            val insertData2 = """
-            INSERT INTO table2 (
-                moneyCol, numericCol, 
-                realCol, smallintCol, 
-                serialCol, textCol, timeCol, 
-                timeWithZoneCol, timestampCol, timestampWithZoneCol, 
-                uuidCol
-            ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-            """
+            val insertData2 =
+                """
+                INSERT INTO table2 (
+                    moneyCol, numericCol, 
+                    realCol, smallintCol, 
+                    serialCol, textCol, timeCol, 
+                    timeWithZoneCol, timestampCol, timestampWithZoneCol, 
+                    uuidCol
+                ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+                """.trimIndent()
 
             val intArray = connection.createArrayOf("INTEGER", arrayOf(1, 2, 3))
             val doubleArray = connection.createArrayOf("DOUBLE", arrayOf(1.1, 2.2, 3.3))
@@ -327,4 +333,57 @@ class PostgresH2Test {
     fun `infer nullability`() {
         inferNullability(connection)
     }
+
+    @Test
+    fun `readSqlQuery should execute a WITH clause and return results`() {
+        try {
+            // Step 1: Create a temporary table
+            @Language("SQL")
+            val createTableQuery =
+                """
+                CREATE TABLE employees (
+                    id INT PRIMARY KEY,
+                    name VARCHAR(100),
+                    salary DOUBLE
+                )
+                """.trimIndent()
+            connection.createStatement().execute(createTableQuery)
+
+            // Step 2: Insert data into the table
+            @Language("SQL")
+            val insertDataQuery =
+                """
+                INSERT INTO employees (id, name, salary) VALUES 
+                (1, 'Alice', 60000.0),
+                (2, 'Bob', 50000.0),
+                (3, 'Charlie', 70000.0)
+                """.trimIndent()
+
+            connection.createStatement().execute(insertDataQuery)
+
+            // Step 3: Execute the query with a WITH clause
+            @Language("SQL")
+            val queryWithClause =
+                """
+                WITH high_earners AS (
+                    SELECT name, salary 
+                    FROM employees 
+                    WHERE salary > 55000.0
+                )
+                SELECT * FROM high_earners
+                """.trimIndent()
+
+            val resultDataFrame = DataFrame.readSqlQuery(connection, queryWithClause)
+
+            // Step 4: Validate the results
+            resultDataFrame.rowsCount() shouldBe 2
+            resultDataFrame[0][0] shouldBe "Alice"
+            resultDataFrame[1][0] shouldBe "Charlie"
+        } finally {
+            // Step 5: Clean up the temporary table
+            @Language("SQL")
+            val dropTableQuery = "DROP TABLE IF EXISTS employees"
+            connection.createStatement().execute(dropTableQuery)
+        }
+    }
 }
