Yuvipanda has uploaded a new change for review.
https://gerrit.wikimedia.org/r/153620
Change subject: Move check_sql into QueryRevision model
......................................................................
Move check_sql into QueryRevision model
Change-Id: I906f7be476ab6ec8d3815f2ab8e8736c2f61ad68
---
M quarry/web/models/queryrevision.py
D quarry/web/sqlactions.py
M quarry/web/worker.py
3 files changed, 17 insertions(+), 14 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/analytics/quarry/web
refs/changes/20/153620/1
diff --git a/quarry/web/models/queryrevision.py
b/quarry/web/models/queryrevision.py
index 599223e..4af4415 100644
--- a/quarry/web/models/queryrevision.py
+++ b/quarry/web/models/queryrevision.py
@@ -14,6 +14,22 @@
runs = relationship('QueryRun', lazy='dynamic', backref='rev')
+ def is_allowed(self):
+ """Check if given SQL is ok to execute.
+ Super minimal and stupid right now, and should never
+ be considered 'authoritative'. Will probably always be
+ easily cirumventible by dedicated trolls, but should keep
+ the merely clueless out
+
+ returns tuple of (actual_reason, public_reason_string)
+ """
+ if 'information_schema' in self.text.lower():
+ # According to springle hitting this db can fuck
+ # things up for everyone, and it isn't easy to
+ # restrict access to this from mysql
+ return ("Hitting information_schema", "Unauthorized access to
restricted database")
+ return True
+
class QueryRevisionRepository:
def __init__(self, session):
diff --git a/quarry/web/sqlactions.py b/quarry/web/sqlactions.py
deleted file mode 100644
index 0f05182..0000000
--- a/quarry/web/sqlactions.py
+++ /dev/null
@@ -1,12 +0,0 @@
-def check_sql(sql):
- """Check if given SQL is ok to execute.
- Super minimal and stupid right now, and should never
- be considered 'authoritative'. Will probably always be
- easily cirumventible by dedicated trolls, but should keep
- the merely clueless out"""
- if 'information_schema' in sql.lower():
- # According to springle hitting this db can fuck
- # things up for everyone, and it isn't easy to
- # restrict access to this from mysql
- return ("Hitting information_schema", "Unauthorized access to
restricted database")
- return True
diff --git a/quarry/web/worker.py b/quarry/web/worker.py
index d5590ba..1f6c112 100644
--- a/quarry/web/worker.py
+++ b/quarry/web/worker.py
@@ -1,7 +1,6 @@
import pymysql
from celery.exceptions import SoftTimeLimitExceeded
from celery.utils.log import get_task_logger
-from sqlactions import check_sql
from models.queryrun import QueryRunRepository, QueryRun
from models.queryresult import QuerySuccessResult, QueryErrorResult,
QueryKilledResult
from celery import Celery
@@ -81,7 +80,7 @@
qrun = query_run_repository.get_by_id(query_run_id)
qrun.status = QueryRun.STATUS_RUNNING
query_run_repository.save(qrun)
- check_result = check_sql(qrun.augmented_sql)
+ check_result = qrun.rev.is_allowed()
if check_result is not True:
celery_log.info("Check result for qrun:%s failed, with message:
%s", qrun.id, check_result[0])
raise pymysql.DatabaseError(0, check_result[1])
--
To view, visit https://gerrit.wikimedia.org/r/153620
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I906f7be476ab6ec8d3815f2ab8e8736c2f61ad68
Gerrit-PatchSet: 1
Gerrit-Project: analytics/quarry/web
Gerrit-Branch: master
Gerrit-Owner: Yuvipanda <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
