feat: Lock down duckdb to limit filesystem access

gadenbuie · gadenbuie · commit 8f0c6bb300bf · 2025-12-22T13:04:52.000-05:00
diff --git a/pkg-py/src/querychat/_datasource.py b/pkg-py/src/querychat/_datasource.py
@@ -115,11 +115,26 @@ def __init__(self, df: IntoFrame, table_name: str):
             Name of the table in SQL queries
 
         """
-        self._conn = duckdb.connect(database=":memory:")
         self._df = nw.from_native(df)
         self.table_name = table_name
-        # TODO(@gadenbuie): If the data frame is already SQL-backed, maybe we shouldn't be making a new copy here.
+
+        self._conn = duckdb.connect(database=":memory:")
+        # TODO(@gadenbuie): What if the data frame is already SQL-backed?
         self._conn.register(table_name, self._df.lazy().collect().to_pandas())
+        self._conn.execute("""
+-- extensions: lock down supply chain + auto behaviors
+SET allow_community_extensions = false;
+SET allow_unsigned_extensions = false;
+SET autoinstall_known_extensions = false;
+SET autoload_known_extensions = false;
+
+-- external I/O: block file/database/network access from SQL
+SET enable_external_access = false;
+SET disabled_filesystems = 'LocalFileSystem';
+
+-- freeze configuration so user SQL can't relax anything
+SET lock_configuration = true;
+        """)
 
     def get_db_type(self) -> str:
         """
diff --git a/pkg-r/R/DataSource.R b/pkg-r/R/DataSource.R
@@ -163,13 +163,33 @@ DataFrameSource <- R6::R6Class(
       # Create in-memory connection and register the data frame
       if (engine == "duckdb") {
         check_installed("duckdb")
+
         private$conn <- DBI::dbConnect(duckdb::duckdb(), dbdir = ":memory:")
+
         duckdb::duckdb_register(
           private$conn,
           table_name,
           df,
           experimental = FALSE
         )
+
+        DBI::dbExecute(
+          private$conn,
+          r"(
+-- extensions: lock down supply chain + auto behaviors
+SET allow_community_extensions = false;
+SET allow_unsigned_extensions = false;
+SET autoinstall_known_extensions = false;
+SET autoload_known_extensions = false;
+
+-- external I/O: block file/database/network access from SQL
+SET enable_external_access = false;
+SET disabled_filesystems = 'LocalFileSystem';
+
+-- freeze configuration so user SQL can't relax anything
+SET lock_configuration = true;
+        )"
+        )
       } else if (engine == "sqlite") {
         check_installed("RSQLite")
         private$conn <- DBI::dbConnect(RSQLite::SQLite(), ":memory:")
