Fix raw query escaping

[ea-rus]

Alternative to #59

[github-actions]

Coverage Report

File	Stmts	Miss	Cover	Missing
mindsdb_sql_parser
__about__.py	10	10	0%	1–10
__init__.py	119	22	82%	44, 48, 53, 98, 115, 139–158, 165–166
lexer.py	280	21	92%	368, 370, 372, 384, 386, 388, 394–412
logger.py	19	4	79%	14, 17, 23, 26
parser.py	1107	32	97%	129, 133, 288, 313, 419, 605, 622, 646–647, 868, 922, 999, 1100, 1153, 1163, 1202–1203, 1232, 1243, 1326, 1402, 1441, 1477, 1670–1671, 1846–1847, 2023, 2031, 2084–2087
utils.py	46	4	91%	73–79
mindsdb_sql_parser/ast
base.py	36	5	86%	13, 28, 31, 46, 51
create.py	80	12	85%	23–31, 92–97
drop.py	52	2	96%	10, 13
insert.py	63	4	94%	39–41, 46
show.py	48	1	98%	18
update.py	53	5	91%	40–42, 75–76
mindsdb_sql_parser/ast/mindsdb
knowledge_base.py	97	1	99%	80
mindsdb_sql_parser/ast/select
case.py	37	1	97%	22
constant.py	36	1	97%	23
data.py	11	4	64%	10–12, 15, 19
identifier.py	83	11	87%	56, 104–112, 122
native_query.py	13	1	92%	25
operation.py	139	4	97%	57, 66, 178, 202
parameter.py	15	2	87%	17, 20
select.py	109	3	97%	160–165
star.py	12	2	83%	8–9
TOTAL	3392	152	96%

Tests	Skipped	Failures	Errors	Time
303	0 💤	0 ❌	0 🔥	13.027s ⏱️

[entelligence-ai-pr-reviews]

Review Summary

🏷️ Draft Comments (2)

Skipped posting 2 draft comments that were valid but scored below your review threshold (>13/15). Feel free to update them here.

mindsdb_sql_parser/lexer.py (1)

391-412: error method splits the entire input text on every error, causing O(n) time and memory usage per error for large queries; this can severely degrade performance for large SQL scripts.

📊 Impact Scores:

• Production Impact: 3/5
• Fix Specificity: 4/5
• Urgency Impact: 2/5
• Total Score: 9/15

🤖 AI Agent Prompt (Copy & Paste Ready):

Optimize the error reporting in mindsdb_sql_parser/lexer.py, lines 391-412. The current `error` method splits the entire input text on every error, which is O(n) in time and memory and can severely degrade performance for large SQL scripts. Refactor it to only extract the relevant lines around the error position without splitting the whole text. Preserve the error message format and code context.

---

mindsdb_sql_parser/parser.py (1)

2009-2009: quote_string and dquote_string use unsafe .replace() logic for unescaping, allowing crafted input to break out of string context and potentially enable SQL injection or parser confusion.

📊 Impact Scores:

• Production Impact: 4/5
• Fix Specificity: 4/5
• Urgency Impact: 3/5
• Total Score: 11/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In mindsdb_sql_parser/parser.py, line 2009, the current `quote_string` implementation uses `.replace()` to unescape both backslash and double quote escapes, which is unsafe and can allow crafted input to break out of string context, leading to SQL injection or parser confusion. Update the code to only unescape doubled single quotes (the standard SQL escape for single-quoted strings), and do not process backslash escapes or double quote escapes. The fix should securely strip the outer single quotes and replace only doubled single quotes with a single quote. Apply this change at line 2009.

---