Skip to content

fix(server): validate MotherDuck unsafe functions#295

Merged
siisee11 merged 1 commit into
mainfrom
codex/use-onequery-validator
Jun 26, 2026
Merged

fix(server): validate MotherDuck unsafe functions#295
siisee11 merged 1 commit into
mainfrom
codex/use-onequery-validator

Conversation

@siisee11

Copy link
Copy Markdown
Contributor

One-Line Summary

MotherDuck read-only SQL validation now blocks PostgreSQL side-effecting functions from the shared OneQuery validator.

User-Facing Changes

  • MotherDuck queries such as SELECT pg_advisory_lock(1) are rejected with Side-effecting SQL functions are not allowed: pg_advisory_lock.
  • Existing PostgreSQL, MySQL, Snowflake, SHOW, and Cloudflare R2 SQL metadata validation behavior remains in the shared validator.

Why This Changed

Velen had a local validator copy that treated MotherDuck like PostgreSQL for unsafe function checks. Moving Velen to use OneQuery as the source of truth requires that policy to live in OneQuery first so consumers do not lose the protection.

How It Changed

  • Extends isUnsafeFunctionName so motherduck uses the PostgreSQL unsafe function denylist.
  • Adds a MotherDuck assertion to validate-sql.test.ts for pg_advisory_lock.

Bug Fixes

  • Fixes a gap where a consumer delegating to OneQuery directly would allow PostgreSQL side-effecting functions for MotherDuck.

Verification

  • bun run --cwd vendor/onequery/packages/server vitest run src/services/data-source-query/validate-sql.test.ts
  • bunx turbo typecheck --json --filter=@onequery/server --filter=@velen/server --filter=@velen/web

Video / Screenshot (Optional)

  • N/A

@siisee11 siisee11 enabled auto-merge (squash) June 26, 2026 01:59
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
onequery-landing 8276ae8 Commit Preview URL

Branch Preview URL
Jun 26 2026, 02:02 AM

@siisee11 siisee11 merged commit 6f37d29 into main Jun 26, 2026
9 checks passed
@siisee11 siisee11 deleted the codex/use-onequery-validator branch June 26, 2026 02:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant