Make maximum recursion depth of run_sql configurable

 fixes #739

Author: lovasoa

CHANGELOG.md

@@ -28,6 +28,7 @@
 - Fix a bug where stacked bar charts would not stack the bars correctly in some cases.
 - Update ApexCharts to [v4.1.0](https://github.com/apexcharts/apexcharts.js/releases/tag/v4.1.0).
 - Temporarily disable automatic tick amount calculation in the chart component. This was causing issues with mislabeled x-axis data, because of a bug in ApexCharts.
+- Add a new `max_recursion_depth` configuration option to limit the depth of recursion allowed in the `run_sql` function.
 
 ## 0.31.0 (2024-11-24)
 

configuration.md

@@ -33,6 +33,7 @@ Here are the available configuration options and their default values:
 | `environment`                                 | development                                                 | The environment in which SQLPage is running. Can be either `development` or `production`. In `production` mode, SQLPage will hide error messages and stack traces from the user, and will cache sql files in memory to avoid reloading them from disk. |
 | `content_security_policy`                     | `script-src 'self' 'nonce-XXX` | The [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to set in the HTTP headers. If you get CSP errors in the browser console, you can set this to the empty string to disable CSP. |
 | `system_root_ca_certificates`                 | false                                                      | Whether to use the system root CA certificates to validate SSL certificates when making http requests with `sqlpage.fetch`. If set to false, SQLPage will use its own set of root CA certificates. If the `SSL_CERT_FILE` or `SSL_CERT_DIR` environment variables are set, they will be used instead of the system root CA certificates. |
+| `max_recursion_depth`                         | 10                                                           | Maximum depth of recursion allowed in the `run_sql` function. Maximum value is 255. |
 
 Multiple configuration file formats are supported:
 you can use a [`.json5`](https://json5.org/) file, a [`.toml`](https://toml.io/) file, or a [`.yaml`](https://en.wikipedia.org/wiki/YAML#Syntax) file.

examples/official-site/sqlpage/migrations/38_run_sql.sql

@@ -26,7 +26,7 @@ select ''dynamic'' as component, sqlpage.run_sql(''common_header.sql'') as prope
 
 #### Notes
 
- - **recursion**: you can use `run_sql` to include a file that itself includes another file, and so on. However, be careful to avoid infinite loops. SQLPage will throw an error if the inclusion depth is superior to 8.
+ - **recursion**: you can use `run_sql` to include a file that itself includes another file, and so on. However, be careful to avoid infinite loops. SQLPage will throw an error if the inclusion depth is superior to `max_recursion_depth` (10 by default).
  - **security**: be careful when using `run_sql` to include files. Never use `run_sql` with a user-provided parameter. Never run a file uploaded by a user, or a file that is not under your control.
  - **variables**: the included file will have access to the same variables (URL parameters, POST variables, etc.)
    as the calling file.

src/app_config.rs

@@ -243,6 +243,10 @@ pub struct AppConfig {
     /// `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables.
     #[serde(default = "default_system_root_ca_certificates")]
     pub system_root_ca_certificates: bool,
+
+    /// Maximum depth of recursion allowed in the `run_sql` function.
+    #[serde(default = "default_max_recursion_depth")]
+    pub max_recursion_depth: u8,
 }
 
 impl AppConfig {
@@ -490,6 +494,10 @@ fn default_system_root_ca_certificates() -> bool {
         || std::env::var("SSL_CERT_DIR").is_ok_and(|x| !x.is_empty())
 }
 
+fn default_max_recursion_depth() -> u8 {
+    10
+}
+
 #[derive(Debug, Deserialize, Serialize, PartialEq, Clone, Copy, Eq, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum DevOrProd {

src/webserver/database/sqlpage_functions/functions.rs

@@ -448,11 +448,11 @@ async fn run_sql<'a>(
         log::debug!("run_sql: first argument is NULL, returning NULL");
         return Ok(None);
     };
-    let sql_file = request
-        .app_state
+    let app_state = &request.app_state;
+    let sql_file = app_state
         .sql_file_cache
         .get_with_privilege(
-            &request.app_state,
+            app_state,
             std::path::Path::new(sql_file_path.as_ref()),
             true,
         )
@@ -466,11 +466,14 @@ async fn run_sql<'a>(
     } else {
         request.clone()
     };
-    if tmp_req.clone_depth > 8 {
-        anyhow::bail!("Too many nested inclusions. run_sql can include a file that includes another file, but the depth is limited to 8 levels. \n\
+    let max_recursion_depth = app_state.config.max_recursion_depth;
+    if tmp_req.clone_depth > max_recursion_depth {
+        anyhow::bail!("Too many nested inclusions. run_sql can include a file that includes another file, but the depth is limited to {max_recursion_depth} levels. \n\
         Executing sqlpage.run_sql('{sql_file_path}') would exceed this limit. \n\
         This is to prevent infinite loops and stack overflows.\n\
-        Make sure that your SQL file does not try to run itself, directly or through a chain of other files.");
+        Make sure that your SQL file does not try to run itself, directly or through a chain of other files.\n\
+        If you need to include more files, you can increase max_recursion_depth in the configuration file.\
+        ");
     }
     let mut results_stream =
         crate::webserver::database::execute_queries::stream_query_results_boxed(