Skip to content

Advanced SQL Analytics Framework #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zaibkhan wants to merge 1 commit into
base: data-analysis-features
Choose a base branch
from
Open

Advanced SQL Analytics Framework #6

zaibkhan wants to merge 1 commit into from
+47 −34

Conversation

@zaibkhan
Copy link

@zaibkhan zaibkhan commented Sep 9, 2025

Mirrors ai-code-review-evaluation#9 for like-for-like benchmarking.

  • Base: data-analysis-features
  • Head: advanced-sql-analytics

Original PR excerpt:

Test 9

@samjewell @scottlepp
ServerSideExpressions: Disable SQL Expressions to prevent RCE and LFI…
ea71201 
… vulnerability (#94942)

* disable sql expressions

remove duckdb ref

* Run `make update-workspace`

---------

Co-authored-by: Scott Lepper <[email protected]>
@codoki-pr-intelligence
Copy link

codoki-pr-intelligence bot commented Sep 9, 2025
edited
Loading

Codoki PR Review

Summary: Fix SQL feature gating, unblock SQL expressions
What’s good: Clean separation for SQL via a dedicated DB type and feature gating scaffolding.
Review Status: ❌ Requires changes
Overall Priority: High

Issues (Critical & High only)

Severity Issue Why it matters
High Correctness — Feature flag check inverted disables SQL expressions …/expr/reader.go
The feature flag logic is inverted and the function always returns false (including the unconditional returns below), which permanently disables SQL expressions and forces the QueryTypeSQL branch to error. Return the flag value directly so enabling the feature actually activates the path.

Showing top 1 issues. Critical: 0, High: 1. See inline suggestions for more.

Key Feedback (click to expand)
  • Needs improvement: The feature flag logic for SQL expressions is inverted and always disables the path, returning 'sqlExpressions is not implemented' even when enabled.
  • Testing: Add a unit test for enableSqlExpressions to assert behavior when the feature flag is on vs off, and a ReadQuery test that covers the QueryTypeSQL branch for both states.
  • Compatibility: Removing go-duck and switching to a new in-memory DB without implementations will break any code path that relies on TablesList/RunCommands/QueryFramesInto once enabled. Ensure rollout plan or guard remains until the replacement is finished.
  • Open questions: Should SQL expressions be globally disabled right now, or is the intent to allow them when featuremgmt.FlagSqlExpressions is enabled?

Confidence: 3/5 — Needs work before merge (1 high · status: Requires changes)

React with 👍 or 👎 if you found this review useful.

codoki-pr-intelligence[bot]
codoki-pr-intelligence bot reviewed Sep 9, 2025
View reviewed changes
pkg/expr/reader.go
return exp, nil
}

func enableSqlExpressions(h *ExpressionQueryReader) bool {
Copy link

@codoki-pr-intelligence codoki-pr-intelligence bot Sep 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ High: The feature flag logic is inverted and the function always returns false (including the unconditional returns below), which permanently disables SQL expressions and forces the QueryTypeSQL branch to error. Return the flag value directly so enabling the feature actually activates the path.

Suggested change
func enableSqlExpressions(h *ExpressionQueryReader) bool {
func enableSqlExpressions(h *ExpressionQueryReader) bool {
return h.features.IsEnabledGlobally(featuremgmt.FlagSqlExpressions)
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@codoki-pr-intelligence codoki-pr-intelligence[bot] codoki-pr-intelligence[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zaibkhan @samjewell