Skip to content

fix(sql): avoid false positives in disallowed function checks#40963

Open
LaurinBrechter wants to merge 2 commits into
apache:masterfrom
LaurinBrechter:fix/sql-executor-disallowed-function-false-positives
Open

fix(sql): avoid false positives in disallowed function checks#40963
LaurinBrechter wants to merge 2 commits into
apache:masterfrom
LaurinBrechter:fix/sql-executor-disallowed-function-false-positives

Conversation

@LaurinBrechter

@LaurinBrechter LaurinBrechter commented Jun 11, 2026

Copy link
Copy Markdown

SUMMARY

The SQL executor's disallowed-function check used substring matching on the raw SQL string, causing false positives when column or table names contained a disallowed function name as a substring (e.g. skilllevel triggering the kill blocklist for MySQL).

This change uses SQLScript.check_functions_present() — the same AST-based approach already used in sql_lab.py and models/helpers.py — so only actual function invocations are blocked.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — backend-only change.

TESTING INSTRUCTIONS

  1. Configure DISALLOWED_SQL_FUNCTIONS with {"mysql": {"kill"}} in superset_config.py
  2. Run a query that references a column like skilllevel — it should succeed
  3. Run SELECT KILL(123) — it should be rejected with an error mentioning kill
  4. Run unit tests: 
    pytest tests/unit_tests/sql/execution/test_executor.py::test_execute_disallowed_function_not_matched_in_identifiers tests/unit_tests/sql/execution/test_executor.py::test_execute_disallowed_mysql_kill_function -v

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@LaurinBrechter @cursoragent
fix(sql): avoid false positives in disallowed function checks
d28783b 
Use SQLScript.check_functions_present() instead of substring matching
so identifiers containing disallowed function names (e.g. "kill" in
"skilllevel") are not incorrectly blocked.

Co-authored-by: Cursor <cursoragent@cursor.com>
@dosubot dosubot Bot added the sqllab Namespace | Anything related to the SQL Lab label Jun 11, 2026
@bito-code-review

bito-code-review Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Code Review Agent Run #beec35

Actionable Suggestions - 0
Additional Suggestions - 1
  • tests/unit_tests/sql/execution/test_executor.py - 1
    • Inconsistent config mocking · Line 386-397
      The test `test_execute_disallowed_mysql_kill_function` is missing `SQL_MAX_ROW` and `QUERY_LOGGER` config keys that are consistently set in other tests in this file (e.g., lines 364-373, 321, 343). While the test will still function, this inconsistency could cause issues if the test fixture's default values change.
      Code suggestion 
      --- a/tests/unit_tests/sql/execution/test_executor.py
+++ b/tests/unit_tests/sql/execution/test_executor.py
 @@ -391,6 +391,8 @@ def test_execute_disallowed_mysql_kill_function(
      mocker.patch.dict(
          current_app.config,
          {
+            "SQL_MAX_ROW": None,
              "SQL_QUERY_MUTATOR": None,
              "SQLLAB_TIMEOUT": 30,
+            "QUERY_LOGGER": None,
              "DISALLOWED_SQL_FUNCTIONS": {"mysql": {"kill"}},
          },
      )
Review Details
  • Files reviewed - 2 · Commit Range: d28783b..d28783b
    • superset/sql/execution/executor.py
    • tests/unit_tests/sql/execution/test_executor.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

codeant-ai-for-open-source[bot]
codeant-ai-for-open-source Bot reviewed Jun 11, 2026
View reviewed changes
Comment thread superset/sql/execution/executor.py Outdated
Comment thread tests/unit_tests/sql/execution/test_executor.py Outdated
@pull-request-size pull-request-size Bot added size/L and removed size/M labels Jun 11, 2026
@LaurinBrechter

LaurinBrechter commented Jun 11, 2026

Copy link
Copy Markdown
Author

/review

bito-code-review[bot]
bito-code-review Bot reviewed Jun 11, 2026
View reviewed changes

@bito-code-review bito-code-review Bot left a comment
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #1be33c

Actionable Suggestions - 1
  • superset/sql/parse.py - 1
Review Details
  • Files reviewed - 3 · Commit Range: d28783b..bc26b66
    • superset/sql/execution/executor.py
    • superset/sql/parse.py
    • tests/unit_tests/sql/execution/test_executor.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment thread superset/sql/parse.py
Comment on lines 838 to +871
@@ -864,7 +868,7 @@ def check_functions_present(self, functions: set[str]) -> bool:
else:
present.add(function.name.upper())

return any(function.upper() in present for function in functions)
return present

@bito-code-review bito-code-review Bot Jun 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing unit tests for new method

The new public method get_present_functions() has no direct unit tests. Only indirect coverage exists via check_functions_present tests. Per BITO.md rule [11730], new tools should have dedicated unit tests covering success paths, error scenarios, and edge cases.

Code Review Run #1be33c

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

  • Yes, avoid them

@bito-code-review

bito-code-review Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Code Review Agent Run #32fd30

Actionable Suggestions - 0
Additional Suggestions - 1
  • superset/sql/parse.py - 1
    • Missing unit tests for get_present_functions · Line 1472-1479
      The new `get_present_functions()` public method on `SQLScript` lacks dedicated unit tests. While `check_functions_present` indirectly tests this functionality, BITO.md rule [11730] recommends comprehensive unit tests for new tools covering success paths, error scenarios, and edge cases.
Review Details
  • Files reviewed - 3 · Commit Range: d28783b..bc26b66
    • superset/sql/execution/executor.py
    • superset/sql/parse.py
    • tests/unit_tests/sql/execution/test_executor.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@bito-code-review bito-code-review[bot] bito-code-review[bot] left review comments

@codeant-ai-for-open-source codeant-ai-for-open-source[bot] codeant-ai-for-open-source[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/L sqllab Namespace | Anything related to the SQL Lab

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LaurinBrechter