[I] panic on EXEC() / EXECUTE() with no name: Option::unwrap() on None in statement.rs [datafusion]

[via GitHub]

Dandandan opened a new issue, #22197:
URL: https://github.com/apache/datafusion/issues/22197

   ### Describe the bug
   
   `EXEC()` and `EXECUTE()` with no statement name parse successfully via 
sqlparser-rs but panic in the DataFusion planner on `Option::unwrap()`.
   
   ### To Reproduce
   
   ```rust
   use datafusion::prelude::SessionContext;
   
   #[tokio::main]
   async fn main() {
       let ctx = SessionContext::new();
       let _ = ctx.sql("EXEC()").await;
   }
   ```
   
   Panic:
   
   ```
   thread 'main' panicked at datafusion/sql/src/statement.rs:896:55:
   called `Option::unwrap()` on a `None` value
   ```
   
   All of these panic:
   - `EXEC()`
   - `EXEC('')`
   - `EXEC('any-string')`
   - `EXECUTE()`
   - `EXEC ('a')`
   
   These are correctly handled (no panic):
   - `EXEC` (no parens — sqlparser rejects it)
   - `EXECUTE foo` (with a name)
   
   ### Expected behavior
   
   Return a `plan_err!` such as "EXECUTE statement requires a name" instead of 
panicking. The public SQL API should never panic on user-supplied SQL.
   
   ### Root cause
   
   
[`datafusion/sql/src/statement.rs`](https://github.com/apache/datafusion/blob/main/datafusion/sql/src/statement.rs),
 around line 896:
   
   ```rust
   Statement::Execute {
       name,         // Option<ObjectName> — None when SQL is `EXEC()` or 
`EXECUTE()`
       parameters,
       ...
   } => {
       ...
       Ok(LogicalPlan::Statement(PlanStatement::Execute(Execute {
           name: object_name_to_string(&name.unwrap()),   // ← panics when name 
is None
           parameters,
       })))
   }
   ```
   
   sqlparser-rs accepts T-SQL-style `EXEC(<dynamic-sql>)` where the name is 
absent. The DataFusion planner does not handle that branch and unwraps 
unconditionally.
   
   ### Suggested fix
   
   ```rust
   let name = name.ok_or_else(|| {
       plan_datafusion_err!("EXECUTE statement requires a name")
   })?;
   ...
   Ok(LogicalPlan::Statement(PlanStatement::Execute(Execute {
       name: object_name_to_string(&name),
       parameters,
   })))
   ```
   
   ### Additional context
   
   Found while investigating user input `EXEC('Wto')` after a separate fuzzing 
session that already produced #22184, #22185, #22187, #22188, #22193, #22194.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscr...@datafusion.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: github-unsubscr...@datafusion.apache.org
For additional commands, e-mail: github-h...@datafusion.apache.org