Skip to content

Commit

Permalink
DH-4692/updating the SQL guards to use sqlparse
Browse files Browse the repository at this point in the history
  • Loading branch information
MohammadrezaPourreza committed Sep 19, 2023
1 parent 459fb7f commit 55d6c79
Showing 1 changed file with 13 additions and 9 deletions.
22 changes: 13 additions & 9 deletions dataherald/sql_database/base.py
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
"""SQL wrapper around SQLDatabase in langchain."""
import logging
import re
from typing import Any, List
from urllib.parse import unquote

import sqlparse
from langchain.sql_database import SQLDatabase as LangchainSQLDatabase
from sqlalchemy import MetaData, create_engine, text
from sqlalchemy.engine import Engine
Expand Down Expand Up @@ -119,14 +119,18 @@ def parser_to_filter_commands(cls, command: str) -> str:
"MERGE",
"EXECUTE",
]
pattern = (
r"\b(?:" + "|".join(re.escape(word) for word in sensitive_keywords) + r")\b"
)
match = re.search(pattern, command, re.IGNORECASE)
if match:
raise SQLInjectionError(
f"Sensitive SQL keyword '{match.group()}' detected in the query."
)
parsed_command = sqlparse.parse(command)

for stmt in parsed_command:
for token in stmt.tokens:
if (
isinstance(token, sqlparse.sql.Token)
and token.normalized in sensitive_keywords
):
raise SQLInjectionError(
f"Sensitive SQL keyword '{token.normalized}' detected in the query."
)

return command

def run_sql(self, command: str) -> tuple[str, dict]:
Expand Down

0 comments on commit 55d6c79

Please sign in to comment.