Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Driver error: query parameters are not supported by this server #184

Open
csm-kb opened this issue Dec 22, 2023 · 5 comments
Open

[Bug] Driver error: query parameters are not supported by this server #184

csm-kb opened this issue Dec 22, 2023 · 5 comments

Comments

@csm-kb
Copy link

csm-kb commented Dec 22, 2023
edited
Loading

Hey team, Databricks customer here! (related internal Help ticket 00404964)

Context

  • We use this library to provide access to our data core to our API, for serving customers ETL'd data objects -- via a serverless SQL instance.

We originally implemented the SQL query writes using substitutes like so (this is not real code, very simplified):

import (
  "database/sql"
  "fmt"
  dbsql "github.com/databricks/databricks-sql-go"
)

connector, err := dbsql.NewConnector(
  dbsql.WithAccessToken(config.DatabricksToken),
  dbsql.WithServerHostname(config.DatabricksHost),
  dbsql.WithPort(port),
  dbsql.WithHTTPPath(config.DatabricksHttpPath),
)
// ...
db := sql.OpenDB(connector)

// ...
query := fmt.Sprintf("select * from table where obj_id in (%s) and timestamp > %s", ids, timestamp)
res, err := db.Query(query)

, but this is very bad practice when ids or timestamp are user-provided via GET query parameters (/objects?id=x&id=y).

Even with initial sanitization and validation of the params, it is still a SQL injection vulnerability by static analysis (CWE-89) -- so we need to mitigate that by using the official Go database/sql library's recommendation to use a parameterized SQL query:

queryParams := []interface{}{
  ids,
  timestamp,
}
query := "select * from table where obj_id in (?) and timestamp > ?"
res, err := db.Query(query, queryParams...)

Issue

But, when we try to execute this parameterized query, we receive the following error:

driver error: query parameters are not supported by this server

... which isn't a good thing if we want to query our warehouse directly from the API while mitigating SQL injection.

I haven't taken the time to look, but I do not know if this is a package issue or a SQL Warehouse issue.

Notes

  • If this is in-fact supported by the driver implemented here, then at least this issue will be a historical reminder that it is -- and I'm hoping I can get this in front of whomever owns the SQL Warehouse implement!
@susodapop
Copy link
Contributor

Thanks for opening this issue. I think this is a mirror of this one on the NodeJS connector and the resolution is the same. We'll have a PR fixing it soon.

@nv-josh
Copy link

nv-josh commented Apr 12, 2024

Any update on this? I just discovered this is still an issue in my own code.

@kravets-levko
Copy link
Collaborator

@nv-josh which DBR version you use? Query parameters depend on server support, so IIRC you need a DBR 14.1 or newer to use them

@csm-kb
Copy link
Author

csm-kb commented Apr 12, 2024

@nv-josh I worked internally w/ DB support to validate this issue went away with the preview of Serverless SQL 2024.10, you should check the same!

@nv-josh
Copy link

nv-josh commented Apr 16, 2024

Ah thank you for the responses. I'll follow up with my teams here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kravets-levko @susodapop @csm-kb @nv-josh