Add compatability for ; in sqlalchemy,psycopg2 & django (#123)

Thiyagu55 · web-flow · commit 6369b16b4119 · 2022-05-13T19:18:30.000+05:30
This PR fixes a zero day issue where comments are added after the end of SQL statement i.e. after `;`.  This will create no or wrong association of the comment wrt the SQL statement.
We previously fixed it for psycopg2 only, but this CL reactors the code and fixes the issue for sqlalchemy and as a precaution was added to django also.
diff --git a/python/sqlcommenter-python/google/cloud/sqlcommenter/__init__.py b/python/sqlcommenter-python/google/cloud/sqlcommenter/__init__.py
@@ -36,12 +36,23 @@ def generate_sql_comment(**meta):
 
     # Sort the keywords to ensure that caching works and that testing is
     # deterministic. It eases visual inspection as well.
+
     return ' /*' + KEY_VALUE_DELIMITER.join(
         '{}={!r}'.format(url_quote(key), url_quote(value)) for key, value in sorted(meta.items())
         if value is not None
     ) + '*/'
 
 
+def add_sql_comment(sql, **meta):
+    comment = generate_sql_comment(**meta)
+    sql = sql.rstrip()
+    if sql[-1] == ';':
+        sql = sql[:-1] + comment + ';'
+    else:
+        sql = sql + comment
+    return sql
+
+
 def url_quote(s):
     if not isinstance(s, (str, bytes)):
         return s
diff --git a/python/sqlcommenter-python/google/cloud/sqlcommenter/django/middleware.py b/python/sqlcommenter-python/google/cloud/sqlcommenter/django/middleware.py
@@ -19,7 +19,7 @@
 import django
 from django.db import connection
 from django.db.backends.utils import CursorDebugWrapper
-from google.cloud.sqlcommenter import generate_sql_comment
+from google.cloud.sqlcommenter import add_sql_comment
 from google.cloud.sqlcommenter.opencensus import get_opencensus_values
 from google.cloud.sqlcommenter.opentelemetry import get_opentelemetry_values
 
@@ -62,7 +62,8 @@ def __call__(self, execute, sql, params, many, context):
         db_driver = context['connection'].settings_dict.get('ENGINE', '')
         resolver_match = self.request.resolver_match
 
-        sql_comment = generate_sql_comment(
+        sql = add_sql_comment(
+            sql,
             # Information about the controller.
             controller=resolver_match.view_name if resolver_match and with_controller else None,
             # route is the pattern that matched a request with a controller i.e. the regex
@@ -85,7 +86,6 @@ def __call__(self, execute, sql, params, many, context):
         # See:
         #  * https://github.com/basecamp/marginalia/issues/61
         #  * https://github.com/basecamp/marginalia/pull/80
-        sql += sql_comment
 
         # Add the query to the query log if debugging.
         if context['cursor'].__class__ is CursorDebugWrapper:
diff --git a/python/sqlcommenter-python/google/cloud/sqlcommenter/psycopg2/extension.py b/python/sqlcommenter-python/google/cloud/sqlcommenter/psycopg2/extension.py
@@ -18,7 +18,7 @@
 
 import psycopg2
 import psycopg2.extensions
-from google.cloud.sqlcommenter import generate_sql_comment
+from google.cloud.sqlcommenter import add_sql_comment
 from google.cloud.sqlcommenter.flask import get_flask_info
 from google.cloud.sqlcommenter.opencensus import get_opencensus_values
 from google.cloud.sqlcommenter.opentelemetry import get_opentelemetry_values
@@ -80,12 +80,7 @@ def execute(self, sql, args=None):
             if with_opentelemetry:
                 data.update(get_opentelemetry_values())
 
-            if len(data) != 0:
-                sql = sql.rstrip()
-                if sql[-1] == ';':
-                    sql = sql[:-1] + generate_sql_comment(**data) + ';'
-                else:
-                    sql = sql + generate_sql_comment(**data)
+            sql = add_sql_comment(sql, **data)
 
             return psycopg2.extensions.cursor.execute(self, sql, args)
 
diff --git a/python/sqlcommenter-python/google/cloud/sqlcommenter/sqlalchemy/executor.py b/python/sqlcommenter-python/google/cloud/sqlcommenter/sqlalchemy/executor.py
@@ -21,7 +21,7 @@
 import logging
 
 import sqlalchemy
-from google.cloud.sqlcommenter import generate_sql_comment
+from google.cloud.sqlcommenter import add_sql_comment
 from google.cloud.sqlcommenter.fastapi import get_fastapi_info
 from google.cloud.sqlcommenter.flask import get_flask_info
 from google.cloud.sqlcommenter.opencensus import get_opencensus_values
@@ -76,15 +76,14 @@ def before_cursor_execute(conn, cursor, sql, parameters, context, executemany):
         if with_opentelemetry:
             data.update(get_opentelemetry_values())
 
-        sql_comment = generate_sql_comment(**data)
+        sql = add_sql_comment(sql, **data)
 
         # TODO: Check if the database type is MySQL and figure out
         # if we should prepend comments because MySQL server truncates
         # logs greater than 1kB.
         # See:
         #  * https://github.com/basecamp/marginalia/issues/61
         #  * https://github.com/basecamp/marginalia/pull/80
-        sql += sql_comment
 
         return sql, parameters
 
diff --git a/python/sqlcommenter-python/tests/generic/test_add_sql_comment.py b/python/sqlcommenter-python/tests/generic/test_add_sql_comment.py
@@ -0,0 +1,36 @@
+#!/usr/bin/python
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from unittest import TestCase
+
+from google.cloud.sqlcommenter import add_sql_comment
+
+
+class AddSqlCommentTests(TestCase):
+    def test_no_args(self):
+        self.assertEqual(add_sql_comment('Select 1'), 'Select 1')
+
+    def test_end_comment_escaping(self):
+        self.assertEqual("Select 1 /*a='%%2A/abc'*/", add_sql_comment("Select 1", a='*/abc'))
+
+    def test_bytes(self):
+        self.assertIn("Select 1 /*a='%%2A/abc'*/", add_sql_comment("Select 1",a=b'*/abc'))
+
+    def test_url_quoting(self):
+        self.assertIn("Select 1 /*foo='bar%%2Cbaz'*/", add_sql_comment("Select 1",foo='bar,baz'))
+
+    def test_sql_with_semicolon(self):
+        self.assertIn("Select 1 /*foo='bar%%2Cbaz'*/;", add_sql_comment("Select 1;",foo='bar,baz'))
diff --git a/python/sqlcommenter-python/tests/sqlalchemy/tests.py b/python/sqlcommenter-python/tests/sqlalchemy/tests.py
@@ -52,30 +52,30 @@ def test_no_args(self):
 
     def test_db_driver(self):
         self.assertSQL(
-            "SELECT 1; /*db_driver='driver'*/",
+            "SELECT 1 /*db_driver='driver'*/;",
             with_db_driver=True,
         )
 
     def test_db_framework(self):
         self.assertSQL(
-            "SELECT 1; /*db_framework='sqlalchemy%%3A{}'*/".format(sqlalchemy.__version__),
+            "SELECT 1 /*db_framework='sqlalchemy%%3A{}'*/;".format(sqlalchemy.__version__),
             with_db_framework=True,
         )
 
     def test_opencensus(self):
         with mock_opencensus_tracer():
             self.assertSQL(
-                "SELECT 1; /*traceparent='00-trace%%20id-span%%20id-00',"
-                "tracestate='congo%%3Dt61rcWkgMzE%%2Crojo%%3D00f067aa0ba902b7'*/",
+                "SELECT 1 /*traceparent='00-trace%%20id-span%%20id-00',"
+                "tracestate='congo%%3Dt61rcWkgMzE%%2Crojo%%3D00f067aa0ba902b7'*/;",
                 with_opencensus=True,
             )
 
     @skipIfPy2
     def test_opentelemetry(self):
         with mock_opentelemetry_context():
             self.assertSQL(
-                "SELECT 1; /*traceparent='00-000000000000000000000000deadbeef-000000000000beef-00',"
-                "tracestate='some_key%%3Dsome_value'*/",
+                "SELECT 1 /*traceparent='00-000000000000000000000000deadbeef-000000000000beef-00',"
+                "tracestate='some_key%%3Dsome_value'*/;",
                 with_opentelemetry=True,
             )
 
@@ -85,8 +85,8 @@ def test_both_opentelemetry_and_opencensus_warn(self):
             "google.cloud.sqlcommenter.sqlalchemy.executor.logger"
         ) as logger_mock, mock_opencensus_tracer(), mock_opentelemetry_context():
             self.assertSQL(
-                "SELECT 1; /*traceparent='00-000000000000000000000000deadbeef-000000000000beef-00',"
-                "tracestate='some_key%%3Dsome_value'*/",
+                "SELECT 1 /*traceparent='00-000000000000000000000000deadbeef-000000000000beef-00',"
+                "tracestate='some_key%%3Dsome_value'*/;",
                 with_opentelemetry=True,
                 with_opencensus=True,
             )
@@ -103,27 +103,27 @@ class FlaskTests(SQLAlchemyTestCase):
     @mock.patch('google.cloud.sqlcommenter.sqlalchemy.executor.get_flask_info', return_value=flask_info)
     def test_all_data(self, get_info):
         self.assertSQL(
-            "SELECT 1; /*controller='c',framework='flask',route='/'*/",
+            "SELECT 1 /*controller='c',framework='flask',route='/'*/;",
         )
 
     @mock.patch('google.cloud.sqlcommenter.sqlalchemy.executor.get_flask_info', return_value=flask_info)
     def test_framework_disabled(self, get_info):
         self.assertSQL(
-            "SELECT 1; /*controller='c',route='/'*/",
+            "SELECT 1 /*controller='c',route='/'*/;",
             with_framework=False,
         )
 
     @mock.patch('google.cloud.sqlcommenter.sqlalchemy.executor.get_flask_info', return_value=flask_info)
     def test_controller_disabled(self, get_info):
         self.assertSQL(
-            "SELECT 1; /*framework='flask',route='/'*/",
+            "SELECT 1 /*framework='flask',route='/'*/;",
             with_controller=False,
         )
 
     @mock.patch('google.cloud.sqlcommenter.sqlalchemy.executor.get_flask_info', return_value=flask_info)
     def test_route_disabled(self, get_info):
         self.assertSQL(
-            "SELECT 1; /*controller='c',framework='flask'*/",
+            "SELECT 1 /*controller='c',framework='flask'*/;",
             with_route=False,
         )
 
@@ -138,26 +138,26 @@ class FastAPITests(SQLAlchemyTestCase):
     @mock.patch('google.cloud.sqlcommenter.sqlalchemy.executor.get_fastapi_info', return_value=fastapi_info)
     def test_all_data(self, get_info):
         self.assertSQL(
-            "SELECT 1; /*controller='c',framework='fastapi',route='/'*/",
+            "SELECT 1 /*controller='c',framework='fastapi',route='/'*/;",
         )
 
     @mock.patch('google.cloud.sqlcommenter.sqlalchemy.executor.get_fastapi_info', return_value=fastapi_info)
     def test_framework_disabled(self, get_info):
         self.assertSQL(
-            "SELECT 1; /*controller='c',route='/'*/",
+            "SELECT 1 /*controller='c',route='/'*/;",
             with_framework=False,
         )
 
     @mock.patch('google.cloud.sqlcommenter.sqlalchemy.executor.get_fastapi_info', return_value=fastapi_info)
     def test_controller_disabled(self, get_info):
         self.assertSQL(
-            "SELECT 1; /*framework='fastapi',route='/'*/",
+            "SELECT 1 /*framework='fastapi',route='/'*/;",
             with_controller=False,
         )
 
     @mock.patch('google.cloud.sqlcommenter.sqlalchemy.executor.get_fastapi_info', return_value=fastapi_info)
     def test_route_disabled(self, get_info):
         self.assertSQL(
-            "SELECT 1; /*controller='c',framework='fastapi'*/",
+            "SELECT 1 /*controller='c',framework='fastapi'*/;",
             with_route=False,
-        )
+        )
