Skip to content

Fix SQLToolset read-only mode bypass via data-modifying CTEs and SELECT INTO#64173

Merged
eladkal merged 2 commits intoapache:mainfrom
eladkal:ai
Mar 26, 2026
Merged

Fix SQLToolset read-only mode bypass via data-modifying CTEs and SELECT INTO#64173
eladkal merged 2 commits intoapache:mainfrom
eladkal:ai

Conversation

@eladkal
Copy link
Copy Markdown
Contributor

@eladkal eladkal commented Mar 24, 2026

Not an expert for this provider but I think we should avoid DML statements.
The validate_sql function only checked the top-level statement type, so queries like
WITH d AS (DELETE FROM users RETURNING *) SELECT * FROM d or SELECT * INTO new_table FROM users
passed validation despite mutating data. This adds a deep AST scan that walks the full parse tree
and rejects any INSERT, UPDATE, DELETE, MERGE, INTO, or Command nodes found anywhere
inside an otherwise-allowed SELECT. The scan only applies when using the default read-only allowlist;
callers who provide custom allowed_types are unaffected.

Was generative AI tooling used to co-author this PR?
  • [v] Yes (please specify the tool below)
    Claude Opus 4.6
  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.

kaxil
kaxil reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@kaxil kaxil left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed!

Comment thread providers/common/ai/src/airflow/providers/common/ai/utils/sql_validation.py Outdated
Comment thread providers/common/ai/src/airflow/providers/common/ai/utils/sql_validation.py
Comment thread providers/common/ai/tests/unit/common/ai/utils/test_sql_validation.py
@eladkal eladkal merged commit 221cdd6 into apache:main Mar 26, 2026
164 of 167 checks passed
@eladkal eladkal deleted the ai branch March 26, 2026 01:24
nailo2c pushed a commit to nailo2c/airflow that referenced this pull request Mar 30, 2026
@eladkal @nailo2c
Fix SQLToolset read-only mode bypass via data-modifying CTEs and SELE…
ea56692 
…CT INTO (apache#64173)

* Fix SQLToolset read-only mode bypass via data-modifying CTEs and SELECT INTO

* fixes
Suraj-kumar00 pushed a commit to Suraj-kumar00/airflow that referenced this pull request Apr 7, 2026
@eladkal @Suraj-kumar00
Fix SQLToolset read-only mode bypass via data-modifying CTEs and SELE…
fa6b3a5 
…CT INTO (apache#64173)

* Fix SQLToolset read-only mode bypass via data-modifying CTEs and SELECT INTO

* fixes
abhijeets25012-tech pushed a commit to abhijeets25012-tech/airflow that referenced this pull request Apr 9, 2026
@eladkal
Fix SQLToolset read-only mode bypass via data-modifying CTEs and SELE…
6c79dfb 
…CT INTO (apache#64173)

* Fix SQLToolset read-only mode bypass via data-modifying CTEs and SELECT INTO

* fixes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaxil kaxil kaxil approved these changes

@gopidesupavan gopidesupavan gopidesupavan approved these changes

Assignees

No one assigned

Labels

area:providers provider:common-ai

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@eladkal @kaxil @gopidesupavan