-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Add support for adhoc filters. (#103) #154
base: master
Are you sure you want to change the base?
Conversation
@jbonofre pinging you since you're the one person I've seen accepting PRs. |
Hello @Olian04 ! |
`SELECT "TABLE_NAME" FROM INFORMATION_SCHEMA.COLUMNS WHERE "TABLE_SCHEMA" = 'druid' AND "COLUMN_NAME" = '${options.key}'` | ||
) | ||
).map((it) => it.value); | ||
|
||
const completions = ( | ||
await Promise.all( | ||
tableNames.map(async (tableName) => | ||
this._postSqlQuery( | ||
this.settingsData.adhoc?.shouldNotLimitAutocompleteValue | ||
? `SELECT DISTINCT "${options.key}" FROM ${tableName}` | ||
: `SELECT "${options.key}" FROM ${tableName} GROUP BY "${options.key}" ORDER BY COUNT("${options.key}") DESC LIMIT 1000` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just text templating in values into SQL queries leaves them vulnerable to SQL injections attacks. Prepared statements ought to be preferred if at all possible, even if there are attempts to sanitise the templated values elsewhere.
...templatedQuery, | ||
builder: { | ||
...templatedQuery.builder, | ||
query: SQL.stringify(query), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we know that this stringification is safe and can't lead to possible SQL injection attacks?
this._postSqlQuery( | ||
this.settingsData.adhoc?.shouldNotLimitAutocompleteValue | ||
? `SELECT DISTINCT "${options.key}" FROM ${tableName}` | ||
: `SELECT "${options.key}" FROM ${tableName} GROUP BY "${options.key}" ORDER BY COUNT("${options.key}") DESC LIMIT 1000` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I appreciate the effort to limit the number of items the UI has to render, it would also be nice to limit the amount of data Druid has to work through.
What are the next steps required to merge this PR? Do we need to address all the comments from @MrLarssonJr ? I would like to get feedback from @jbguerraz |
Any update here? |
This PR resolves issue #103 by adding support for adhoc filters to both SQL queries and Native queries.
This PR implements support for adhoc filters for the following query types:
As per the druid documentation, this PR does NOT implement adhoc filters for the following query types: