* Sanitize NaN, Infinite, -Infinite causing error when saving as PostgreSQL JSON #7339 (2nd try)
* Move json nsanitaize to on the top of json_dumps
* Fix comment
* add default limit 1000
* Add frontend changes and connect to backend
* Fix query hash because of default limit
* fix CircleCI test
* adjust for comment
* change API to /api/queries/:id/dropdowns/:dropdown_id
* extract property
* split to 2 different dropdown endpoints and implement the second
* make access control optional for dropdowns (assuming it is verified at a
different level)
* add test cases for /api/queries/:id/dropdowns/:id
* use new /dropdowns endpoint in frontend
* require access to dropdown queries when creating or updating parent
queries
* rename Query resource dropdown endpoints
* check access to dropdown query associations in one fugly query
* move ParameterizedQuery to models folder
* add dropdown association tests to query creation
* move group by query ids query into models.Query
* use bound parameters for groups query
* format groups query
* use new associatedDropdowns endpoint in dashboards
* pass down parameter and let it return dropdown options. Go Levko!
* change API to /api/queries/:id/dropdowns/:dropdown_id
* split to 2 different dropdown endpoints and implement the second
* use new /dropdowns endpoint in frontend
* pass down parameter and let it return dropdown options. Go Levko!
* fix bad rebase
* add comment to clarify the purpose of checking the queryId
* convert all dropdown values to strings to support parameter lookup.
solves #3562
* unicode all the way down
* show correct default values in QueryBasedParameterInput by converting
them to strings
* use the textless endpoint (/api/queries/:id/results) for pristine
queriest
* reverse conditional. not not is making me the headaches.
* add ParameterizedQuery#is_safe with an inital naive implementation which
treats any query with a text parameter as not safe. This will be
remedied later when DB drivers will handle these parameters.
* allow getting new query results even if user has only view permissions
to the data source (given that the query is safe)
* fix lint error - getDerivedStateFromProps should be placed after state
* Revert "use the textless endpoint (/api/queries/:id/results) for pristine"
This reverts commit cd2cee7738.
* move execution preparation to a different function, which will be soon
reused
* go to textless /api/queries/:id/results by default
* let the query view decide if text or textless endpoint is needed
* allow safe queries to be executed in the UI even if the user has no
permission to execute and create new query results
* change `run_query`'s signature to accept a ParameterizedQuery instead of
constructing it inside
* use dict#get instead of a None guard
* use ParameterizedQuery in queries handler as well
* test that /queries/:id/results allows execution of safe queries even if
user has view_only permissions
* lint
* raise HTTP 400 when receiving invalid parameter values. Fixes#3394
* remove unused methods
* avoid cyclic imports by importing only when needed
* verify that a ParameterizedQuery without any parameters is considered
safe
* introduce query.parameter_schema
* encapsulate ParameterizedQuery creation inside Query
* stop testing `collect_query_parameters`, it's an implementation detail
* add tests for `missing_query_params`
* rename SQLQuery -> ParameterizedSqlQuery
* rename sql_query.py to parameterized_query.py
* split to parameterized queries and parameterized SQL queries, where
parameterized queries only do templating and parameterized SQL queries
add tree validation on top of it
* move missing parameter detection to ParameterizedQuery
* get rid of some old code
* fix tests
* set syntax to `custom`
* revert the max-age-related refactoring
* 👋 tree validations 😢
* BaseQueryRunner is no longer a factory for ParameterizedQuery, for now
* add an endpoint for running a query by its id and (optional) parameters
without having to provide the query text
* adds parameter schema to ParameterizedQuery
* adds parameter schema validation (currently for strings)
* validate number parameters
* validate date parameters
* validate parameters on POST /api/queries/<id>/results
* validate enum parameters
* validate date range parameters
* validate query-based dropdowns by preprocessing them at the handler
level and converting them to a populated enum
* change _is_date_range to be a tad more succinct
* a single assignment with a `map` is sufficiently explanatory
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/handlers/query_results.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* build error message inside the error
* support all types of numbers as number parameters
* check for permissions when populating query-based dropdowns
* check for access to query before running it
* check for empty rows when populating query-based enums
* don't bother loading query results if user doesn't have access
* 💥 on unexpected parameter types
* parameter schema default is a list, not a dictionary
* fix a totally unrelated typo
* remove redundant null guards
* introduce /dropdown.json endpoint with dummy data
* wire frontend to /dropdown.json
* always return name/value combos from /dropdown.json
* load actual data into /dropdown.json
* pluck correct values for `name` and `value`
* reuse dropdwon plucking logic in QueryResultResource
* simplify _get_dropdown_values
* when doing parameter validation, we only care about the value and not
the display name
* rename dropdown to dropdownOptions
* move dropdown_values to utils/parameterized_query.py
* stop converting queries to enums and encapsulate the work inside
ParameterizedQuery (almost - /dropdown.json would still access the
dropdown_values method)
* re-order arguments by importance
* test query parameter validation
* tests for dropdown_values logic
* remove `.json` suffix to the dropdown endpoint
* allow `BaseResource` to handle JSON stuff
* move _pluck_name_and_value outside its containing method
* case-insensitive lookup when plucking name and value
* separate concerns and simplify test isolation for `dropdown_values`
* pick the default column according to the order specified in the query
result columns attribute
* use `current_org` instead of passing `org`
* test that user has access to the query when calling the /dropdown
endpoint
* stop testing `collect_query_parameters`, it's an implementation detail
* add tests for `missing_query_params`
* rename SQLQuery -> ParameterizedSqlQuery
* rename sql_query.py to parameterized_query.py
* split to parameterized queries and parameterized SQL queries, where
parameterized queries only do templating and parameterized SQL queries
add tree validation on top of it
* move missing parameter detection to ParameterizedQuery
* get rid of some old code
* fix tests
* set syntax to `custom`
* revert the max-age-related refactoring
* 👋 tree validations 😢
* BaseQueryRunner is no longer a factory for ParameterizedQuery, for now
* add an endpoint for running a query by its id and (optional) parameters
without having to provide the query text
* adds parameter schema to ParameterizedQuery
* adds parameter schema validation (currently for strings)
* validate number parameters
* validate date parameters
* validate parameters on POST /api/queries/<id>/results
* validate enum parameters
* validate date range parameters
* validate query-based dropdowns by preprocessing them at the handler
level and converting them to a populated enum
* change _is_date_range to be a tad more succinct
* a single assignment with a `map` is sufficiently explanatory
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/handlers/query_results.py
Co-Authored-By: rauchy <omer@rauchy.net>
* Update redash/utils/parameterized_query.py
Co-Authored-By: rauchy <omer@rauchy.net>
* build error message inside the error
* support all types of numbers as number parameters
* check for permissions when populating query-based dropdowns
* check for access to query before running it
* check for empty rows when populating query-based enums
* don't bother loading query results if user doesn't have access
* 💥 on unexpected parameter types
* parameter schema default is a list, not a dictionary
* remove redundant null guards
* add SQLQuery class with tests for safe queries and non-safe tautology attacks
* add test for union query injections
* split .apply calls to newline
* add tests for comment attacks
* remove double underscore
* extract complex children check to variable
* inherit from object because I'm not a lamer
Co-Authored-By: rauchy <omer@rauchy.net>
* simplify cognitive complexity
* check that additional columns are not injected
* detect appended queries
* inline .apply calls
* move SQLQuery to it's own module
* move SQLQuery tests to their own module
* serialize SQLQuery instances
* raise an exception when attempting to serialize an unsafe query
* queries without parameters are safe
* remove redundant parentheses
* use cached properties
* rename SQLInjectionException to SQLInjectionError
* support multiple word params and param negations
* refactor out methods that don't involve any state
* don't cache text()
* reduce cognitive complexity
