{"html_url": "https://github.com/simonw/datasette/issues/1860#issuecomment-1292685478", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1860", "id": 1292685478, "node_id": "IC_kwDOBm6k_c5NDNCm", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-10-26T21:42:35Z", "updated_at": "2022-10-26T21:42:35Z", "author_association": "OWNER", "body": "That's deployed to https://latest.datasette.io/ now - some examples:\r\n\r\n- https://latest.datasette.io/fixtures?sql=--+one+kind+of+comment%0D%0Aselect+*+from+searchable\r\n- https://latest.datasette.io/fixtures?sql=%2F*+Multi%0D%0A++line+comment+*%2F%0D%0Aselect+*+from+searchable\r\n- https://latest.datasette.io/fixtures?sql=%2F*+Both+kinds+*%2F%0D%0A--+of+comment%0D%0A%2F*+and+more+*%2F%0D%0A--+and+more+and+more%0D%0Aselect+*+from+searchable", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1424378012, "label": "SQL query field can't begin by a comment"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1860#issuecomment-1292679567", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1860", "id": 1292679567, "node_id": "IC_kwDOBm6k_c5NDLmP", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-10-26T21:36:25Z", "updated_at": "2022-10-26T21:36:25Z", "author_association": "OWNER", "body": "I'm never 100% sure how to tell if a regular expression includes a nasty denial of service attack - are there any inputs that could cause this new regex to execute in quadratic time or similar?", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1424378012, "label": "SQL query field can't begin by a comment"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1860#issuecomment-1292678657", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1860", "id": 1292678657, "node_id": "IC_kwDOBm6k_c5NDLYB", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-10-26T21:35:23Z", "updated_at": "2022-10-26T21:35:37Z", "author_association": "OWNER", "body": "Here are the new tests - each of these should now work: https://github.com/simonw/datasette/blob/55a709c480a1e7401b4ff6208f37a2cf7c682183/tests/test_utils.py#L170-L175", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1424378012, "label": "SQL query field can't begin by a comment"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1860#issuecomment-1292674919", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1860", "id": 1292674919, "node_id": "IC_kwDOBm6k_c5NDKdn", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-10-26T21:31:22Z", "updated_at": "2022-10-26T21:31:22Z", "author_association": "OWNER", "body": "I'm experimenting with this:\r\n```python\r\n# Allow SQL to start with a /* */ or -- comment\r\ncomment_re = (\r\n    # Start of string, then any amount of whitespace\r\n    r'^(\\s*' +\r\n    # Comment that starts with -- and ends at a newline\r\n    r'(?:\\-\\-.*?\\n\\s*)' +\r\n    # Comment that starts with /* and ends with */\r\n    r'|(?:/\\*[\\s\\S]*?\\*/)' + \r\n    # Whitespace\r\n    r')*\\s*'\r\n)\r\n\r\nallowed_sql_res = [\r\n    re.compile(comment_re + r\"select\\b\"),\r\n    re.compile(comment_re + r\"explain\\s+select\\b\"),\r\n    re.compile(comment_re + r\"explain\\s+query\\s+plan\\s+select\\b\"),\r\n    re.compile(comment_re + r\"with\\b\"),\r\n    re.compile(comment_re + r\"explain\\s+with\\b\"),\r\n    re.compile(comment_re + r\"explain\\s+query\\s+plan\\s+with\\b\"),\r\n]\r\n```\r\nThis should allow any number of comments of either type as a suffix to the allowed SQL patterns.\r\n\r\nNeeds extensive unit tests!\r\n\r\nI'm not massively worried if it has a flaw in it though, since this is part of Datasette's defense in depth: if a non-SELECT query sneaks through it still shouldn't be able to cause any damage as the database connection is read-only or immutable.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1424378012, "label": "SQL query field can't begin by a comment"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1860#issuecomment-1292659986", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1860", "id": 1292659986, "node_id": "IC_kwDOBm6k_c5NDG0S", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-10-26T21:14:26Z", "updated_at": "2022-10-26T21:15:22Z", "author_association": "OWNER", "body": "Yeah we should fix this.\r\n\r\nhttps://www.sqlite.org/lang_comment.html - SQLite also supports `-- style` comments.\r\n\r\nI like how explicit the documentation is here:\r\n\r\n> SQL comments begin with two consecutive \"-\" characters (ASCII 0x2d) and extend up to and including the next newline character (ASCII 0x0a) or until the end of input, whichever comes first.\r\n> \r\n> C-style comments begin with \"/*\" and extend up to and including the next \"*/\" character pair or until the end of input, whichever comes first. C-style comments can span multiple lines. ", "reactions": "{\"total_count\": 1, \"+1\": 1, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1424378012, "label": "SQL query field can't begin by a comment"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1860#issuecomment-1292390996", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1860", "id": 1292390996, "node_id": "IC_kwDOBm6k_c5NCFJU", "user": {"value": 562352, "label": "CharlesNepote"}, "created_at": "2022-10-26T17:43:41Z", "updated_at": "2022-10-26T17:43:41Z", "author_association": "NONE", "body": "I guess the issue is here: https://github.com/simonw/datasette/blob/9676b2deb07cff20247ba91dad3e84a4ab0b00d1/datasette/utils/__init__.py#L209\r\n\r\nHere is a working regexp allowing it:\r\n```diff\r\n-    re.compile(r\"^select\\b\"),\r\n+    re.compile(r\"^\\s*(/\\*.+?(?=\\*/)\\*/\\s*)*select\"),\r\n```\r\n`^\\s*`: beginning by 0 or an infinite number of \\s (spaces, tabs, newlines...)\r\n`(/\\*.+?(?=\\*/)\\*/\\s*)*`: 0 or an infinite number of chars beginning by `/*` and ending to the next occurrence of `*/` followed by 0 or an infinite number of \\s\r\n\r\nYou can play with the regexp here: https://regex101.com/r/aESXDL/3\r\n\r\n", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1424378012, "label": "SQL query field can't begin by a comment"}, "performed_via_github_app": null}