From 8276ae8e6f83238f831f93e7acb5cd8cd922bf04 Mon Sep 17 00:00:00 2001 From: siisee11 Date: Fri, 26 Jun 2026 10:59:18 +0900 Subject: [PATCH] fix(server): validate MotherDuck unsafe functions --- .../src/services/data-source-query/validate-sql.test.ts | 5 +++++ .../server/src/services/data-source-query/validate-sql.ts | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/server/src/services/data-source-query/validate-sql.test.ts b/packages/server/src/services/data-source-query/validate-sql.test.ts index 5c22a9b9..02b84965 100644 --- a/packages/server/src/services/data-source-query/validate-sql.test.ts +++ b/packages/server/src/services/data-source-query/validate-sql.test.ts @@ -290,6 +290,11 @@ describe("validateAndNormalizeReadOnlyQuery", () => { "SELECT nextval('users_id_seq')", "Side-effecting SQL functions are not allowed: nextval" ); + await expectValidationError( + "SELECT pg_advisory_lock(1)", + "Side-effecting SQL functions are not allowed: pg_advisory_lock", + "motherduck" + ); await expectValidationError( "SELECT GET_LOCK('users', 1)", "Side-effecting SQL functions are not allowed: get_lock", diff --git a/packages/server/src/services/data-source-query/validate-sql.ts b/packages/server/src/services/data-source-query/validate-sql.ts index ffe1104c..8aab3c95 100644 --- a/packages/server/src/services/data-source-query/validate-sql.ts +++ b/packages/server/src/services/data-source-query/validate-sql.ts @@ -723,7 +723,7 @@ function isUnsafeFunctionName( functionName: string, dbType: DatabaseCredentialProviderType ): boolean { - if (dbType === "postgres") { + if (dbType === "postgres" || dbType === "motherduck") { return ( POSTGRES_UNSAFE_FUNCTIONS.has(functionName) || functionName.startsWith("dblink_") ||