fix(query builders): quoting identifiers by default #1658
Merged
+402
−415
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![ellipsis-dev[bot]](https://avatars.githubusercontent.com/in/64358?s=60&v=4){kind=small}
There was a problem hiding this comment.
👍 Looks good to me! Reviewed everything up to c461eaa in 1 minute and 26 seconds
More details
- Looked at
1144lines of code in7files - Skipped
0files when reviewing. - Skipped posting
11drafted comments based on config settings.
1. pandasai/query_builders/base_query_builder.py:42
- Draft comment:
Good: Using query.transform(quote_identifiers) ensures all identifiers are quoted consistently, enhancing SQL injection safety and readability. - Reason this comment was not posted:
Confidence changes required:0%<= threshold50%
None
2. pandasai/query_builders/view_query_builder.py:83
- Draft comment:
Nice update: The view query builder correctly applies quote_identifiers transformation. Ensure sanitize_view_column_name is properly unit tested. - Reason this comment was not posted:
Confidence changes required:0%<= threshold50%
None
3. tests/unit_tests/data_loader/test_sql_loader.py:45
- Draft comment:
The expected SQL queries now include quoted identifiers. This improves SQL safety and clarity. Verify that the quoting is consistent across all sources. - Reason this comment was not posted:
Confidence changes required:0%<= threshold50%
None
4. tests/unit_tests/query_builders/test_group_by.py:80
- Draft comment:
Group by clauses now include properly quoted identifiers. This change enhances consistency; ensure that any changes to identifier quoting update all related tests. - Reason this comment was not posted:
Confidence changes required:0%<= threshold50%
None
5. tests/unit_tests/query_builders/test_query_builder.py:217
- Draft comment:
The tests now check for correctly quoted table and column names, which is a positive update to prevent SQL injection. - Reason this comment was not posted:
Confidence changes required:0%<= threshold50%
None
6. tests/unit_tests/query_builders/test_sql_transformation_manager.py:295
- Draft comment:
All transformation tests now validate SQL using fully quoted identifiers. This is beneficial for consistency and security. - Reason this comment was not posted:
Confidence changes required:0%<= threshold50%
None
7. tests/unit_tests/query_builders/test_view_query_builder.py:144
- Draft comment:
The view query builder tests now expect properly quoted aliases and table names. The injection tests with altered schema names are comprehensive. - Reason this comment was not posted:
Confidence changes required:0%<= threshold50%
None
8. pandasai/query_builders/base_query_builder.py:61
- Draft comment:
Consider applying the quote_identifiers transformation to the get_row_count() query for consistency with build_query() and get_head_query(). - Reason this comment was not posted:
Comment was on unchanged code.
9. tests/unit_tests/query_builders/test_query_builder.py:144
- Draft comment:
Expected SQL strings are built inline and are verbose; consider extracting helper functions or constants to DRY up test string construction and improve maintainability. - Reason this comment was not posted:
Comment was on unchanged code.
10. tests/unit_tests/query_builders/test_view_query_builder.py:475
- Draft comment:
The test for column name comment injection expects the sanitized alias 'column___'; ensure that the replacement logic is well-documented and consistently applied. - Reason this comment was not posted:
Comment was on unchanged code.
11. Overall:1
- Draft comment:
Good job applying quote_identifiers by default across query builders to mitigate SQL injection risks. The added tests cover multiple injection scenarios comprehensively. - Reason this comment was not posted:
Comment was not on a location in the diff, so it can't be submitted as a review comment.
Workflow ID: wflow_mfzVOvL8uU5FRMMD
You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.
scaliseraoul
added a commit
to scaliseraoul/pandas-ai
that referenced
this pull request
Mar 5, 2025
* commit '869f048b60976c1fc5be313922368c626308a44d': fix(query builders): quoting identifiers by default (sinaptik-ai#1658) fix(agent): remove wrong double validation (sinaptik-ai#1659)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Important
Default quoting of SQL identifiers added to
BaseQueryBuilderandViewQueryBuilder, with tests updated to reflect this change.quote_identifiersinBaseQueryBuilderandViewQueryBuilder.build_query()andget_head_query()methods in both classes.test_sql_loader.py,test_group_by.py,test_query_builder.py,test_sql_transformation_manager.py, andtest_view_query_builder.pyto include quoted identifiers.This description was created by
for c461eaa. It will automatically update as commits are pushed.