sha174n opened a new pull request, #40421: URL: https://github.com/apache/superset/pull/40421
## Summary Broadens read-only-mode coverage in the SQL Lab parser. `is_mutating()` and `check_functions_present()` in `superset/sql/parse.py` previously missed several construct shapes that share a meta cause: AST nodes that are not subclasses of the expected types, opaque `exp.Command` nodes for PostgreSQL constructs that sqlglot cannot fully structure, and function-name patterns that mutate server-side state without a wrapping DML node. Scope of this change: 1. **PostgreSQL opaque `exp.Command` constructs.** `is_mutating()` now classifies these as mutating alongside the existing `DO` and `EXPLAIN ANALYZE` handling: `PREPARE`, `EXECUTE`, `CALL`, `COPY`, `GRANT`, `REVOKE`, `SET`, `REFRESH`, `REINDEX`, `VACUUM`. 2. **Structured nodes added to the mutating-node tuple.** Some dialects parse `COPY` / `GRANT` / `REVOKE` into `exp.Copy` / `exp.Grant` / `exp.Revoke` instead of `exp.Command`, so node-type matching is needed alongside the command-name check. 3. **PostgreSQL large-object writers classified as mutating by function name.** `lo_from_bytea`, `lo_export`, `lo_import`, `lo_put`, `lo_create`, `lowrite` appear as plain function calls inside an `exp.Select` wrapper with no enclosing mutating AST node. `is_mutating()` now matches on function name. The full `lo_*` family (writers and readers) is also added to the PostgreSQL entry in `DISALLOWED_SQL_FUNCTIONS` for defense in depth. 4. **`SELECT ... INTO new_table FROM ...`** (PostgreSQL CTAS variant). Parses as `exp.Select` with an `into` arg; now treated as mutating since it creates a new relation. 5. **MySQL `@@<name>` session parameters.** `check_functions_present()` now walks `exp.SessionParameter` so that denylist entries like `version` or `hostname` match `SELECT @@version` / `SELECT @@hostname`. `exp.SessionParameter` is not a subclass of `exp.Func`, so the existing walk skipped it. ## Test plan - [x] `pytest tests/unit_tests/sql/parse_tests.py` (562 pass, no regressions) - [x] `pytest tests/unit_tests/sql/execution/ tests/unit_tests/sql_lab_test.py` (117 pass, no regressions) - [x] `pre-commit run` clean New parametrized cases in `tests/unit_tests/sql/parse_tests.py`: - `test_is_mutating_postgres_function_and_select_into` — `lo_*` writers, `lo_*` readers (negative, blocked separately via denylist), case-insensitivity, `SELECT INTO`. - `test_is_mutating_postgres_command_constructs` — `PREPARE`/`EXECUTE`/`CALL`/`COPY`/`GRANT`/`REVOKE`/`SET`/`REFRESH`/`REINDEX`/`VACUUM`, with pre-existing `DO` and `EXPLAIN ANALYZE` controls included. - `test_check_functions_present_session_parameter` — MySQL `@@version`/`@@hostname` etc.; `lo_*` defense-in-depth via denylist. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
