allow_sql config option to disable custom SQL, closes #284

2025-12-10 16:51:24 +01:00 · 2018-05-24 22:50:50 -07:00 · 2018-05-24 22:50:50 -07:00 · f722b0a730
commit f722b0a730
parent 50920cfe3d
7 changed files with 53 additions and 7 deletions
--- a/datasette/app.py
+++ b/datasette/app.py
@ -80,6 +80,9 @@ CONFIG_OPTIONS = (
    ConfigOption("suggest_facets", True, """
        Calculate and display suggested facets
    """.strip()),
+    ConfigOption("allow_sql", True, """
+        Allow arbitrary SQL queries via ?sql= parameter
+    """.strip()),
 )
 DEFAULT_CONFIG = {
    option.name: option.default
--- a/datasette/templates/database.html
+++ b/datasette/templates/database.html
@ -16,11 +16,13 @@

 {% block description_source_license %}{% include "_description_source_license.html" %}{% endblock %}

-<form class="sql" action="/{{ database }}-{{ database_hash }}" method="get">
-    <h3>Custom SQL query</h3>
-    <p><textarea name="sql">select * from {{ tables[0].name|escape_sqlite }}</textarea></p>
-    <p><input type="submit" value="Run SQL"></p>
-</form>
+{% if config.allow_sql %}
+    <form class="sql" action="/{{ database }}-{{ database_hash }}" method="get">
+        <h3>Custom SQL query</h3>
+        <p><textarea name="sql">select * from {{ tables[0].name|escape_sqlite }}</textarea></p>
+        <p><input type="submit" value="Run SQL"></p>
+    </form>
+{% endif %}

 {% for table in tables %}
 {% if show_hidden or not table.hidden %}
--- a/datasette/templates/query.html
+++ b/datasette/templates/query.html
@ -25,7 +25,7 @@

 <form class="sql" action="/{{ database }}-{{ database_hash }}{% if canned_query %}/{{ canned_query }}{% endif %}" method="get">
    <h3>Custom SQL query{% if rows %} returning {% if truncated %}more than {% endif %}{{ "{:,}".format(rows|length) }} row{% if rows|length == 1 %}{% else %}s{% endif %}{% endif %}</h3>
-    {% if editable %}
+    {% if editable and config.allow_sql %}
        <p><textarea name="sql">{% if query and query.sql %}{{ query.sql }}{% else %}select * from {{ tables[0].name|escape_sqlite }}{% endif %}</textarea></p>
    {% else %}
        <pre>{% if query %}{{ query.sql }}{% endif %}</pre>
--- a/datasette/views/database.py
+++ b/datasette/views/database.py
@ -11,6 +11,8 @@ class DatabaseView(BaseView):

    async def data(self, request, name, hash):
        if request.args.get("sql"):
+            if not self.ds.config["allow_sql"]:
+                raise DatasetteError("sql= is not allowed", status=400)
            sql = request.raw_args.pop("sql")
            validate_sql_select(sql)
            return await self.custom_sql(request, name, hash, sql)