From 7f10f0f7664d474c1be82bf668829e3b736a3d2b Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Sun, 9 Aug 2020 09:03:17 -0700
Subject: [PATCH] Fix for security issue #918

---
 datasette/templates/query.html |  2 +-
 tests/test_canned_queries.py   | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/datasette/templates/query.html b/datasette/templates/query.html
index 0882e142..c6574f31 100644
--- a/datasette/templates/query.html
+++ b/datasette/templates/query.html
@@ -52,7 +52,7 @@
     {% endif %}
     <p>
         <button id="sql-format" type="button" hidden>Format SQL</button>
-        {% if canned_query %}<input type="hidden" name="csrftoken" value="{{ csrftoken() }}">{% endif %}
+        {% if canned_write %}<input type="hidden" name="csrftoken" value="{{ csrftoken() }}">{% endif %}
         <input type="submit" value="Run SQL">
     </p>
 </form>
diff --git a/tests/test_canned_queries.py b/tests/test_canned_queries.py
index 365bcdfa..9607d792 100644
--- a/tests/test_canned_queries.py
+++ b/tests/test_canned_queries.py
@@ -12,6 +12,7 @@ def canned_write_client():
             "databases": {
                 "data": {
                     "queries": {
+                        "canned_read": {"sql": "select * from names"},
                         "add_name": {
                             "sql": "insert into names (name) values (:name)",
                             "write": True,
@@ -69,6 +70,22 @@ def test_insert(canned_write_client):
     assert [["Query executed, 1 row affected", 1]] == messages
 
 
+@pytest.mark.parametrize(
+    "query_name,expect_csrf_hidden_field",
+    [("canned_read", False), ("add_name_specify_id", True), ("add_name", True),],
+)
+def test_canned_query_form_csrf_hidden_field(
+    canned_write_client, query_name, expect_csrf_hidden_field
+):
+    response = canned_write_client.get("/data/{}".format(query_name))
+    html = response.text
+    fragment = '<input type="hidden" name="csrftoken" value="'
+    if expect_csrf_hidden_field:
+        assert fragment in html
+    else:
+        assert fragment not in html
+
+
 def test_insert_with_cookies_requires_csrf(canned_write_client):
     response = canned_write_client.post(
         "/data/add_name",
@@ -148,6 +165,7 @@ def test_canned_query_permissions_on_database_page(canned_write_client):
         q["name"] for q in canned_write_client.get("/data.json").json["queries"]
     }
     assert {
+        "canned_read",
         "add_name",
         "add_name_specify_id",
         "update_name",
@@ -164,6 +182,7 @@ def test_canned_query_permissions_on_database_page(canned_write_client):
     assert [
         {"name": "add_name", "private": False},
         {"name": "add_name_specify_id", "private": False},
+        {"name": "canned_read", "private": False},
         {"name": "delete_name", "private": True},
         {"name": "from_async_hook", "private": False},
         {"name": "from_hook", "private": False},