Skip to content

fix(server): validate SHOW statement expressions#293

Merged
lentil32 merged 1 commit into
mainfrom
fix/show-readonly-validation
Jun 25, 2026
Merged

fix(server): validate SHOW statement expressions#293
lentil32 merged 1 commit into
mainfrom
fix/show-readonly-validation

Conversation

@lentil32

Copy link
Copy Markdown
Contributor

One-Line Summary

Allow safe SHOW metadata queries while keeping side-effecting SQL expressions blocked.

User-Facing Changes

  • SHOW metadata statements can now pass read-only SQL validation.
  • Mutating SQL still returns Only SELECT or SHOW queries are allowed. Got: ....
  • MySQL SHOW ... WHERE GET_LOCK(...) and SHOW ... WHERE SLEEP(...) are rejected like the same functions in SELECT.

Why This Changed

The read-only validator previously treated top-level SHOW as non-select SQL and rejected metadata inspection queries. The first implementation allowed SHOW by bypassing read-only checks entirely, which left executable expressions inside MySQL SHOW ... WHERE clauses unchecked.

How It Changed

  • Classifies top-level SHOW statements as read-only candidates alongside SELECT.
  • Keeps AST traversal for allowed SHOW statements so unsafe functions and nested side-effecting expressions are still rejected.
  • Allows the top-level ClickHouse/Laminar SHOW command node without allowing nested side-effecting command nodes.
  • Updates the Athena connector's lightweight validator to allow SHOW, including metadata forms such as SHOW CREATE TABLE.

Bug Fixes

  • Under MySQL SHOW ... WHERE clauses, side-effecting functions could pass validation after SHOW was added; this now rejects GET_LOCK and SLEEP.

Extra Context / Decisions (Optional)

  • SHOW CREATE TABLE is treated as read-only metadata even though the statement text contains the CREATE keyword.
  • Video/screenshot is not applicable because this only changes query validation logic.

Verification

  • rtk mise exec -- bun --cwd packages/server vitest run src/services/data-source-query/validate-sql.test.ts
  • rtk mise exec -- bunx turbo test --json --filter=@onequery/server --filter=@onequery/connector
  • rtk mise exec -- bunx turbo typecheck --json --filter=@onequery/server --filter=@onequery/connector
  • rtk mise exec -- bun lint --format json
  • rtk mise exec -- bun run format
  • rtk git push -u origin fix/show-readonly-validation ran the pre-push lint-full hook successfully.

Video / Screenshot (Optional)

  • N/A

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
onequery-landing e628ff4 Commit Preview URL

Branch Preview URL
Jun 25 2026, 11:46 AM

@lentil32 lentil32 merged commit 367daa1 into main Jun 25, 2026
9 checks passed
@lentil32 lentil32 deleted the fix/show-readonly-validation branch June 25, 2026 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant