ServerSideExpressions: Disable SQL Expressions to prevent RCE and LFI vulnerability (#94942)

* disable sql expressions remove duckdb ref * Run `make update-workspace` --------- Co-authored-by: Scott Lepper <scott.lepper@gmail.com>
2025-02-25 18:55:37 -06:00 · 2024-10-18 11:28:26 +01:00
parent cbe1e7d63f
commit ea71201ddc
7 changed files with 47 additions and 34 deletions
--- a/pkg/expr/reader.go
+++ b/pkg/expr/reader.go
@@ -126,6 +126,10 @@ func (h *ExpressionQueryReader) ReadQuery(
 		}

 	case QueryTypeSQL:
+		enabled := enableSqlExpressions(h)
+		if !enabled {
+			return eq, fmt.Errorf("sqlExpressions is not implemented")
+		}
 		q := &SQLExpression{}
 		err = iter.ReadVal(q)
 		if err == nil {
@@ -186,3 +190,11 @@ func getReferenceVar(exp string, refId string) (string, error) {
 	}
 	return exp, nil
 }
+
+func enableSqlExpressions(h *ExpressionQueryReader) bool {
+	enabled := !h.features.IsEnabledGlobally(featuremgmt.FlagSqlExpressions)
+	if enabled {
+		return false
+	}
+	return false
+}
--- a/pkg/expr/sql/db.go
+++ b/pkg/expr/sql/db.go
@@ -0,0 +1,26 @@
+package sql
+
+import (
+	"errors"
+
+	"github.com/grafana/grafana-plugin-sdk-go/data"
+)
+
+type DB struct {
+}
+
+func (db *DB) TablesList(rawSQL string) ([]string, error) {
+	return nil, errors.New("not implemented")
+}
+
+func (db *DB) RunCommands(commands []string) (string, error) {
+	return "", errors.New("not implemented")
+}
+
+func (db *DB) QueryFramesInto(name string, query string, frames []*data.Frame, f *data.Frame) error {
+	return errors.New("not implemented")
+}
+
+func NewInMemoryDB() *DB {
+	return &DB{}
+}
--- a/pkg/expr/sql/parser.go
+++ b/pkg/expr/sql/parser.go
@@ -8,7 +8,6 @@ import (

 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/jeremywohl/flatten"
-	"github.com/scottlepp/go-duck/duck"
 )

 const (
@@ -21,7 +20,7 @@ var logger = log.New("sql_expr")

 // TablesList returns a list of tables for the sql statement
 func TablesList(rawSQL string) ([]string, error) {
-	duckDB := duck.NewInMemoryDB()
+	duckDB := NewInMemoryDB()
 	rawSQL = strings.Replace(rawSQL, "'", "''", -1)
 	cmd := fmt.Sprintf("SELECT json_serialize_sql('%s')", rawSQL)
 	ret, err := duckDB.RunCommands([]string{cmd})
--- a/pkg/expr/sql_command.go
+++ b/pkg/expr/sql_command.go
@@ -7,7 +7,6 @@ import (
 	"time"

 	"github.com/grafana/grafana-plugin-sdk-go/data"
-	"github.com/scottlepp/go-duck/duck"

 	"github.com/grafana/grafana/pkg/apimachinery/errutil"
 	"github.com/grafana/grafana/pkg/expr/mathexp"
@@ -94,11 +93,11 @@ func (gr *SQLCommand) Execute(ctx context.Context, now time.Time, vars mathexp.V

 	rsp := mathexp.Results{}

-	duckDB := duck.NewInMemoryDB()
+	db := sql.NewInMemoryDB()
 	var frame = &data.Frame{}

 	logger.Debug("Executing query", "query", gr.query, "frames", len(allFrames))
-	err := duckDB.QueryFramesInto(gr.refID, gr.query, allFrames, frame)
+	err := db.QueryFramesInto(gr.refID, gr.query, allFrames, frame)
 	if err != nil {
 		logger.Error("Failed to query frames", "error", err.Error())
 		rsp.Error = err