Allow WITH query (previously we required SELECT at start)

Fixes #161
2025-12-10 16:51:24 +01:00 · 2017-12-03 20:51:31 -08:00 · 2017-12-03 20:51:31 -08:00 · 0cfd7ce59d
commit 0cfd7ce59d
parent e981ac7d4d
3 changed files with 18 additions and 6 deletions
--- a/datasette/utils.py
+++ b/datasette/utils.py
@ -70,12 +70,22 @@ class InvalidSql(Exception):
    pass


+allowed_sql_res = [
+    re.compile(r'^select\b'),
+    re.compile(r'^with\b'),
+]
+disallawed_sql_res = [
+    (re.compile('pragma'), 'Statement may not contain PRAGMA'),
+]
+
+
 def validate_sql_select(sql):
    sql = sql.strip().lower()
-    if not sql.startswith('select '):
-        raise InvalidSql('Statement must begin with SELECT')
-    if 'pragma' in sql:
-        raise InvalidSql('Statement may not contain PRAGMA')
+    if not any(r.match(sql) for r in allowed_sql_res):
+        raise InvalidSql('Statement must be a SELECT')
+    for r, msg in disallawed_sql_res:
+        if r.search(sql):
+            raise InvalidSql(msg)


 def path_with_added_args(request, args):