Skip to content

Commit

Permalink
Better blacklist check (#414)
Browse files Browse the repository at this point in the history 
* Updating deps in optional requirements

* Fix #412 - Improve blacklist checker
  • Loading branch information
@marksweb
marksweb authored Oct 16, 2020
1 parent 825adca commit 0f074cd
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 17 deletions.
28 changes: 14 additions & 14 deletions README.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -317,25 +317,25 @@ minimum.

*Python*

=========================================================== ======= ================
Name Version License
=========================================================== ======= ================
`sqlparse <https://github.com/andialbrecht/sqlparse/>`_ 0.4.0 BSD
=========================================================== ======= ================
=========================================================== ======== =========
Name Version License
=========================================================== ======== =========
`sqlparse <https://github.com/andialbrecht/sqlparse/>`_ 0.4.0 BSD
=========================================================== ======== =========

- sqlparse is used for SQL formatting

*Python - Optional Dependencies*

==================================================================== ======= ================
Name Version License
==================================================================== ======= ================
`celery <http://www.celeryproject.org/>`_ 3.1 BSD
`django-celery <http://www.celeryproject.org/>`_ 3.1 BSD
`Factory Boy <https://github.com/rbarrois/factory_boy>`_ 2.12.0 MIT
`xlsxwriter <http://xlsxwriter.readthedocs.io/>`_ 1.2.1 BSD
`boto <https://github.com/boto/boto>`_ 2.46 MIT
==================================================================== ======= ================
==================================================================== =========== =============
Name Version License
==================================================================== =========== =============
`celery <http://www.celeryproject.org/>`_ >=3.1,<4 BSD
`django-celery <http://www.celeryproject.org/>`_ >=3.3.1 BSD
`Factory Boy <https://github.com/rbarrois/factory_boy>`_ >=3.1.0 MIT
`xlsxwriter <http://xlsxwriter.readthedocs.io/>`_ >=1.3.6 BSD
`boto <https://github.com/boto/boto>`_ >=2.49 MIT
==================================================================== =========== =============

- Factory Boy is required for tests
- celery is required for the 'email' feature, and for snapshots
Expand Down
4 changes: 4 additions & 0 deletions explorer/tests/test_utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,10 @@ def test_queries_dropping_views_is_not_ok_and_not_case_sensitive(self):
sql = "SELECT 1+1 AS TWO; drop ViEw foo;"
self.assertFalse(passes_blacklist(sql)[0])

def test_queries_containing_drop_in_word_is_ok(self):
sql = "SELECT * FROM student droptable WHERE name LIKE 'Robert%'"
self.assertTrue(passes_blacklist(sql)[0])

def test_sql_whitelist_ok(self):
app_settings.EXPLORER_SQL_WHITELIST = ['dropper']
sql = "SELECT 1+1 AS TWO; dropper ViEw foo;"
Expand Down
20 changes: 17 additions & 3 deletions explorer/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,28 @@

def passes_blacklist(sql):
clean = functools.reduce(
lambda sql, term: sql.upper().replace(term, ""),
lambda s, term: s.upper().replace(term, ''),
[t.upper() for t in app_settings.EXPLORER_SQL_WHITELIST],
sql
)

regex_blacklist = [
(
bl_word,
re.compile(
r'(^|\W){}($|\W)'.format(bl_word),
flags=re.IGNORECASE
)
)
for bl_word in app_settings.EXPLORER_SQL_BLACKLIST
]

fails = [
bl_word for bl_word in app_settings.EXPLORER_SQL_BLACKLIST
if bl_word in clean.upper()
bl_word
for bl_word, bl_regex in regex_blacklist
if bl_regex.findall(clean)
]

return not any(fails), fails


Expand Down

0 comments on commit 0f074cd

Please sign in to comment.