Better comment handling in SQL regex, refs #1860

2025-12-10 16:51:24 +01:00 · 2022-10-27 11:47:41 -07:00 · 2022-10-27 11:47:41 -07:00 · 5f6be3c48b
commit 5f6be3c48b
parent f6ca86987b
2 changed files with 6 additions and 4 deletions
--- a/datasette/utils/init.py
+++ b/datasette/utils/init.py
@ -208,16 +208,16 @@ class InvalidSql(Exception):
 # Allow SQL to start with a /* */ or -- comment
 comment_re = (
    # Start of string, then any amount of whitespace
-    r"^(\s*"
+    r"^\s*("
    +
    # Comment that starts with -- and ends at a newline
    r"(?:\-\-.*?\n\s*)"
    +
-    # Comment that starts with /* and ends with */
-    r"|(?:/\*[\s\S]*?\*/)"
+    # Comment that starts with /* and ends with */ - but does not have */ in it
+    r"|(?:\/\*((?!\*\/)[\s\S])*\*\/)"
    +
    # Whitespace
-    r")*\s*"
+    r"\s*)*\s*"
 )

 allowed_sql_res = [
@ -228,6 +228,7 @@ allowed_sql_res = [
    re.compile(comment_re + r"explain\s+with\b"),
    re.compile(comment_re + r"explain\s+query\s+plan\s+with\b"),
 ]
+
 allowed_pragmas = (
    "database_list",
    "foreign_key_list",
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@ -142,6 +142,7 @@ def test_custom_json_encoder(obj, expected):
        "PRAGMA case_sensitive_like = true",
        "SELECT * FROM pragma_not_on_allow_list('idx52')",
        "/* This comment is not valid. select 1",
+        "/**/\nupdate foo set bar = 1\n/* test */ select 1",
    ],
 )
 def test_validate_sql_select_bad(bad_sql):