Escape single quotes in time-travel SQL string literals

sfc-gh-igarish · cursoragent · sfc-gh-igarish · commit e471446439dc · 2026-06-10T16:30:33.000-07:00
Address review feedback on PR #4211 from @sfc-gh-yuwang: SQL string literals embedded in the time-travel clause (``statement``, ``stream``, ``version_tag``, and the string form of ``timestamp``) were interpolated raw — a tag name like ``release_'s`` produced broken SQL and an untrusted value could close the literal and inject arbitrary text (e.g. ``x'); DROP TABLE foo; --``). Centralize escaping in a single ``_quote`` helper inside ``generate_sql_clause`` that doubles embedded ``'`` to ``''`` (Snowflake's standard string-literal escape) and apply it to all four string-valued parameters. Numeric parameters (``offset``, ``version``) need no escaping. The pattern was pre-existing for ``statement``, ``stream``, and ``timestamp``; this commit hardens those at the same time so the four parameters share one consistent escape path. Added ``test_time_travel_string_literal_escaping`` to ``tests/unit/test_utils.py`` covering all four parameters with both benign embedded quotes (``release_'s``) and an explicit injection payload, plus the typed ``TO_TIMESTAMP_NTZ`` variant. Co-authored-by: Cursor <cursoragent@cursor.com>
diff --git a/src/snowflake/snowpark/_internal/utils.py b/src/snowflake/snowpark/_internal/utils.py
@@ -2099,19 +2099,37 @@ def generate_sql_clause(self) -> str:
             " AT (VERSION => 1234567890)" for Iceberg snapshot id time travel,
             or " AT (VERSION_TAG => 'release_v1')" for Iceberg tag time
             travel.
+
+        Note on escaping: string-valued parameters (``statement``,
+        ``stream``, ``version_tag``, ``timestamp``) are embedded inside
+        single-quoted SQL literals. We double any embedded ``'`` to the
+        Snowflake-standard ``''`` escape sequence before interpolation
+        so a value like ``release_'s`` produces ``'release_''s'``
+        rather than breaking SQL or opening an injection surface
+        (e.g. ``'); DROP TABLE foo; --``). Numeric parameters
+        (``offset``, ``version``) are not quoted and don't need
+        escaping.
         """
+
+        def _quote(value: str) -> str:
+            # Snowflake's SQL string-literal escape is doubled single
+            # quotes; backslashes have no special meaning in
+            # single-quoted literals here, so we don't need to escape
+            # those.
+            return "'" + str(value).replace("'", "''") + "'"
+
         clause = f" {self.time_travel_mode.upper()} "
 
         if self.statement is not None:
-            clause += f"(STATEMENT => '{self.statement}')"
+            clause += f"(STATEMENT => {_quote(self.statement)})"
         elif self.offset is not None:
             clause += f"(OFFSET => {self.offset})"
         elif self.stream is not None:
-            clause += f"(STREAM => '{self.stream}')"
+            clause += f"(STREAM => {_quote(self.stream)})"
         elif self.version is not None:
             clause += f"(VERSION => {self.version})"
         elif self.version_tag is not None:
-            clause += f"(VERSION_TAG => '{self.version_tag}')"
+            clause += f"(VERSION_TAG => {_quote(self.version_tag)})"
         elif self.timestamp is not None:
             if self.timestamp_type is not None:
                 timestamp_type = self.timestamp_type.upper()
@@ -2123,9 +2141,9 @@ def generate_sql_clause(self) -> str:
                     func_name = "TO_TIMESTAMP_TZ"
                 else:
                     func_name = "TO_TIMESTAMP"
-                clause += f"(TIMESTAMP => {func_name}('{self.timestamp}'))"
+                clause += f"(TIMESTAMP => {func_name}({_quote(self.timestamp)}))"
             else:
-                clause += f"(TIMESTAMP => '{self.timestamp}')"
+                clause += f"(TIMESTAMP => {_quote(self.timestamp)})"
 
         return clause
 
diff --git a/tests/unit/test_utils.py b/tests/unit/test_utils.py
@@ -1074,6 +1074,63 @@ def test_time_travel_version_tag():
         TimeTravelConfig.validate_and_normalize_params(version_tag="release_v1")
 
 
+def test_time_travel_string_literal_escaping():
+    """SQL literals embedded in time-travel clauses (``statement``,
+    ``stream``, ``version_tag``, string-form ``timestamp``) must
+    escape embedded single quotes by doubling them — Snowflake's
+    standard string-literal escape — so neither malicious nor
+    accidental ``'`` characters in the value can break the SQL
+    text or open an injection surface.
+
+    Pinned via this test rather than only at the call sites because
+    the four parameters share one code path (``_quote`` in
+    ``generate_sql_clause``); a regression in any one of them would
+    fail here.
+    """
+    # version_tag — the parameter introduced by this PR.
+    config = TimeTravelConfig.validate_and_normalize_params(
+        time_travel_mode="at", version_tag="release_'s"
+    )
+    assert config.generate_sql_clause() == " AT (VERSION_TAG => 'release_''s')"
+
+    # An attempted injection payload — the closing quote and the
+    # injected DROP must be fully neutralized by the doubled quotes.
+    config_injection = TimeTravelConfig.validate_and_normalize_params(
+        time_travel_mode="at", version_tag="x'); DROP TABLE foo; --"
+    )
+    assert (
+        config_injection.generate_sql_clause()
+        == " AT (VERSION_TAG => 'x''); DROP TABLE foo; --')"
+    )
+
+    # statement — same escape applies (pre-existing pattern hardened
+    # while we're here; raised in PR #4211 review).
+    stmt_config = TimeTravelConfig(time_travel_mode="AT", statement="01a' OR '1'='1")
+    assert (
+        stmt_config.generate_sql_clause() == " AT (STATEMENT => '01a'' OR ''1''=''1')"
+    )
+
+    # stream — same escape applies.
+    stream_config = TimeTravelConfig(time_travel_mode="AT", stream="my_stream'); --")
+    assert stream_config.generate_sql_clause() == " AT (STREAM => 'my_stream''); --')"
+
+    # timestamp (string form, no timestamp_type) — same escape.
+    ts_config = TimeTravelConfig(time_travel_mode="AT", timestamp="2024-01-01'); --")
+    assert ts_config.generate_sql_clause() == " AT (TIMESTAMP => '2024-01-01''); --')"
+
+    # timestamp (with typed TO_TIMESTAMP_*) — same escape inside the
+    # function-call argument.
+    ts_typed = TimeTravelConfig(
+        time_travel_mode="AT",
+        timestamp="2024-01-01'); --",
+        timestamp_type="NTZ",
+    )
+    assert (
+        ts_typed.generate_sql_clause()
+        == " AT (TIMESTAMP => TO_TIMESTAMP_NTZ('2024-01-01''); --'))"
+    )
+
+
 def test_extract_time_travel_version_tag_option():
     """Test Iceberg tag option extraction for the reader API.
 
