Commit e471446
Escape single quotes in time-travel SQL string literals
Address review feedback on PR #4211 from @sfc-gh-yuwang:
SQL string literals embedded in the time-travel clause (``statement``,
``stream``, ``version_tag``, and the string form of ``timestamp``) were
interpolated raw — a tag name like ``release_'s`` produced broken SQL
and an untrusted value could close the literal and inject arbitrary
text (e.g. ``x'); DROP TABLE foo; --``).
Centralize escaping in a single ``_quote`` helper inside
``generate_sql_clause`` that doubles embedded ``'`` to ``''``
(Snowflake's standard string-literal escape) and apply it to all four
string-valued parameters. Numeric parameters (``offset``, ``version``)
need no escaping.
The pattern was pre-existing for ``statement``, ``stream``, and
``timestamp``; this commit hardens those at the same time so the four
parameters share one consistent escape path.
Added ``test_time_travel_string_literal_escaping`` to
``tests/unit/test_utils.py`` covering all four parameters with both
benign embedded quotes (``release_'s``) and an explicit injection
payload, plus the typed ``TO_TIMESTAMP_NTZ`` variant.
Co-authored-by: Cursor <cursoragent@cursor.com>1 parent a766590 commit e471446
2 files changed
Lines changed: 80 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2099 | 2099 | | |
2100 | 2100 | | |
2101 | 2101 | | |
| 2102 | + | |
| 2103 | + | |
| 2104 | + | |
| 2105 | + | |
| 2106 | + | |
| 2107 | + | |
| 2108 | + | |
| 2109 | + | |
| 2110 | + | |
| 2111 | + | |
2102 | 2112 | | |
| 2113 | + | |
| 2114 | + | |
| 2115 | + | |
| 2116 | + | |
| 2117 | + | |
| 2118 | + | |
| 2119 | + | |
| 2120 | + | |
2103 | 2121 | | |
2104 | 2122 | | |
2105 | 2123 | | |
2106 | | - | |
| 2124 | + | |
2107 | 2125 | | |
2108 | 2126 | | |
2109 | 2127 | | |
2110 | | - | |
| 2128 | + | |
2111 | 2129 | | |
2112 | 2130 | | |
2113 | 2131 | | |
2114 | | - | |
| 2132 | + | |
2115 | 2133 | | |
2116 | 2134 | | |
2117 | 2135 | | |
| |||
2123 | 2141 | | |
2124 | 2142 | | |
2125 | 2143 | | |
2126 | | - | |
| 2144 | + | |
2127 | 2145 | | |
2128 | | - | |
| 2146 | + | |
2129 | 2147 | | |
2130 | 2148 | | |
2131 | 2149 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1074 | 1074 | | |
1075 | 1075 | | |
1076 | 1076 | | |
| 1077 | + | |
| 1078 | + | |
| 1079 | + | |
| 1080 | + | |
| 1081 | + | |
| 1082 | + | |
| 1083 | + | |
| 1084 | + | |
| 1085 | + | |
| 1086 | + | |
| 1087 | + | |
| 1088 | + | |
| 1089 | + | |
| 1090 | + | |
| 1091 | + | |
| 1092 | + | |
| 1093 | + | |
| 1094 | + | |
| 1095 | + | |
| 1096 | + | |
| 1097 | + | |
| 1098 | + | |
| 1099 | + | |
| 1100 | + | |
| 1101 | + | |
| 1102 | + | |
| 1103 | + | |
| 1104 | + | |
| 1105 | + | |
| 1106 | + | |
| 1107 | + | |
| 1108 | + | |
| 1109 | + | |
| 1110 | + | |
| 1111 | + | |
| 1112 | + | |
| 1113 | + | |
| 1114 | + | |
| 1115 | + | |
| 1116 | + | |
| 1117 | + | |
| 1118 | + | |
| 1119 | + | |
| 1120 | + | |
| 1121 | + | |
| 1122 | + | |
| 1123 | + | |
| 1124 | + | |
| 1125 | + | |
| 1126 | + | |
| 1127 | + | |
| 1128 | + | |
| 1129 | + | |
| 1130 | + | |
| 1131 | + | |
| 1132 | + | |
| 1133 | + | |
1077 | 1134 | | |
1078 | 1135 | | |
1079 | 1136 | | |
| |||
0 commit comments