issue_comments: 1292674919
This data as json
| html_url | issue_url | id | node_id | user | created_at | updated_at | author_association | body | reactions | issue | performed_via_github_app |
|---|---|---|---|---|---|---|---|---|---|---|---|
| https://github.com/simonw/datasette/issues/1860#issuecomment-1292674919 | https://api.github.com/repos/simonw/datasette/issues/1860 | 1292674919 | IC_kwDOBm6k_c5NDKdn | 9599 | 2022-10-26T21:31:22Z | 2022-10-26T21:31:22Z | OWNER | I'm experimenting with this: ```python Allow SQL to start with a / / or -- commentcomment_re = ( # Start of string, then any amount of whitespace r'^(\s' + # Comment that starts with -- and ends at a newline r'(?:--.?\n\s)' + # Comment that starts with / and ends with / r'|(?:/*[\s\S]?*/)' + # Whitespace r')\s' ) allowed_sql_res = [ re.compile(comment_re + r"select\b"), re.compile(comment_re + r"explain\s+select\b"), re.compile(comment_re + r"explain\s+query\s+plan\s+select\b"), re.compile(comment_re + r"with\b"), re.compile(comment_re + r"explain\s+with\b"), re.compile(comment_re + r"explain\s+query\s+plan\s+with\b"), ] ``` This should allow any number of comments of either type as a suffix to the allowed SQL patterns. Needs extensive unit tests! I'm not massively worried if it has a flaw in it though, since this is part of Datasette's defense in depth: if a non-SELECT query sneaks through it still shouldn't be able to cause any damage as the database connection is read-only or immutable. |
{
"total_count": 0,
"+1": 0,
"-1": 0,
"laugh": 0,
"hooray": 0,
"confused": 0,
"heart": 0,
"rocket": 0,
"eyes": 0
} |
1424378012 |