Allow specific pragma functions, closes #761

2025-12-10 16:51:24 +01:00 · 2020-05-06 10:18:31 -07:00 · 2020-05-06 10:18:31 -07:00 · 0784f2ef9d
commit 0784f2ef9d
parent 9212f0c9c3
2 changed files with 24 additions and 2 deletions
--- a/datasette/utils/init.py
+++ b/datasette/utils/init.py
@ -171,7 +171,26 @@ allowed_sql_res = [
    re.compile(r"^explain with\b"),
    re.compile(r"^explain query plan with\b"),
 ]
-disallawed_sql_res = [(re.compile("pragma"), "Statement may not contain PRAGMA")]
+allowed_pragmas = (
+    "database_list",
+    "foreign_key_list",
+    "function_list",
+    "index_info",
+    "index_list",
+    "index_xinfo",
+    "page_count",
+    "max_page_count",
+    "page_size",
+    "schema_version",
+    "table_info",
+    "table_xinfo",
+)
+disallawed_sql_res = [
+    (
+        re.compile("pragma(?!_({}))".format("|".join(allowed_pragmas))),
+        "Statement may not contain PRAGMA",
+    )
+]


 def validate_sql_select(sql):