Hotfix v0.2429.3 (#1433)

* fix: BI-6865 Fix YDB DB_CALL vulnerability (#1432)

fix

* fix: BI-6865 Fix function name collisions between source and sqlalchemy for DB_CALL (#1430)

fix

---------

Co-authored-by: Denis Khamitov <khamitovdr@yandex-team.ru>

Author: robot-datalens-back

lib/dl_connector_clickhouse/dl_connector_clickhouse_tests/db/formula/test_functions_native.py

@@ -22,6 +22,7 @@ def test_native_functions(self, dbe: DbEvaluator) -> None:
         assert dbe.eval('DB_CALL_INT("sign", -5)') == -1
         assert dbe.eval('DB_CALL_INT("sign", 5)') == 1
         assert dbe.eval('DB_CALL_INT("positionCaseInsensitive", "Hello", "l")') == 3
+        assert dbe.eval('DB_CALL_INT("CAST", "3", "UInt32")') == 3
 
         # DB_CALL_FLOAT
         assert dbe.eval('DB_CALL_FLOAT("sign", -5.0)') == -1.0
@@ -30,6 +31,7 @@ def test_native_functions(self, dbe: DbEvaluator) -> None:
 
         # DB_CALL_STRING
         assert dbe.eval('DB_CALL_STRING("reverse", "hello")') == "olleh"
+        assert dbe.eval('DB_CALL_STRING("CAST", 3, "String")') == "3"
 
         # DB_CALL_BOOL
         assert dbe.eval('DB_CALL_BOOL("isFinite", 5)') == True

lib/dl_connector_ydb/dl_connector_ydb/formula/definitions/functions_native.py

@@ -1,7 +1,7 @@
 import re
 
-import sqlalchemy as sa
 from sqlalchemy.sql.elements import ClauseElement
+from sqlalchemy.sql.functions import Function as SqlFunction
 
 from dl_formula.core.nodes import LiteralString
 from dl_formula.definitions.base import (
@@ -24,11 +24,7 @@ def _call_native_impl_yql(func_name_ctx: TranslationCtx, *args: TranslationCtx)
     # Validate function name
     if re.match(r"^[a-zA-Z0-9_]+::[a-zA-Z0-9_]+$", func_name):
         namespace, function = func_name.split("::")
-
-        namespace = getattr(sa.func, namespace)
-        function = getattr(namespace, function)
-
-        return function(*(arg.expression for arg in args))
+        return SqlFunction(function, *(arg.expression for arg in args), packagenames=(namespace,))
 
     return base._call_native_impl(func_name_ctx, *args)
 

lib/dl_formula/dl_formula/definitions/functions_native.py

@@ -1,7 +1,7 @@
 import re
 
-import sqlalchemy as sa
 from sqlalchemy.sql.elements import ClauseElement
+from sqlalchemy.sql.functions import Function as SqlFunction
 
 from dl_formula.core import exc
 from dl_formula.core.datatype import DataType
@@ -28,7 +28,7 @@ def _call_native_impl(func_name_ctx: TranslationCtx, *args: TranslationCtx) -> C
     if not re.match(r"^[a-zA-Z0-9_]+$", func_name):
         raise exc.NativeFunctionForbiddenInputError(func_name)
 
-    return getattr(sa.func, func_name)(*(arg.expression for arg in args))
+    return SqlFunction(func_name, *(arg.expression for arg in args))
 
 
 class DBCall(Function):