run_sql can now be called with a specific set of variables to pass to the included sql file

lovasoa · lovasoa · commit e9fc9624f448 · 2024-07-10T23:54:41.000+02:00
new html component
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,11 @@
  - updated the SQL parser to [v0.48](https://github.com/sqlparser-rs/sqlparser-rs/blob/main/CHANGELOG.md#0480-2024-07-09)
    - upport UPDATE statements that contain tuple assignments , like `UPDATE table SET (a, b) = (SELECT 1, 2)`
    - support custom operators in postgres. Usefull when using extensions like PostGIS, PGroonga, pgtrgm, or pg_similarity, which define custom operators like `&&&`, `@>`, `<->`, `~>`, `~>=`, `~<=`, `<@`...
+ - New `html` component to display raw HTML content. This component is meant to be used by advanced users who want to display HTML content that cannot be expressed with the other components. Make sure you understand the security implications before using this component, as using untrusted HTML content can expose your users to [cross-site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks.
+ - New parameter in the [`run_sql`](https://sql.ophir.dev/functions.sql?function=run_sql#function) function to pass variables to the included SQL file, instead of using the global variables. Together with the new ability to pass data from the database to SQLPage functions, this allows you to create more modular and reusable SQL files. For instance, the following is finally possible:
+   ```sql
+   select 'dynamic' as component, sqlpage.run_sql('display_product.sql', json_object('product_id', product_id)) as properties from products;
+   ```
 
 ## 0.24.0 (2024-06-23)
  - in the form component, searchable `select` fields now support more than 50 options. They used to display only the first 50 options. 
diff --git a/examples/official-site/sqlpage/migrations/38_run_sql.sql b/examples/official-site/sqlpage/migrations/38_run_sql.sql
@@ -47,4 +47,10 @@ VALUES (
         'Path to the SQL file to execute, can be absolute, or relative to the web root (the root folder of your website sql files).
         In-database files, from the sqlpage_files(path, contents, last_modified) table are supported.',
         'TEXT'
+    ),(
+        'run_sql',
+        2,
+        'parameters',
+        'Optional JSON object to pass as parameters to the included SQL file. The keys of the object will be available as variables in the included file. By default, the included file will have access to the same variables as the calling file.',
+        'JSON'
     );
diff --git a/examples/official-site/sqlpage/migrations/46_html.sql b/examples/official-site/sqlpage/migrations/46_html.sql
@@ -0,0 +1,45 @@
+-- Documentation for the RSS component
+INSERT INTO component (name, description, icon, introduced_in_version) VALUES (
+    'html',
+    'Include raw HTML in the output. For advanced users only. Use this component to create complex layouts or to include external content.
+    Be very careful when using this component with user-generated content, as it can lead to security vulnerabilities.
+    Use this component only if you are familiar with the security implications of including raw HTML, and understand the risks of cross-site scripting (XSS) attacks.',
+    'html',
+    '0.25.0'
+);
+
+INSERT INTO parameter (component,name,description,type,top_level,optional) VALUES (
+    'html',
+    'html',
+    'Raw HTML content to include in the page. This will not be sanitized or escaped. If you include content from an untrusted source, your page will be vulnerable to cross-site scripting attacks.',
+    'TEXT',
+    TRUE,
+    TRUE
+),(
+    'html',
+    'html',
+    'Raw HTML content to include in the page. This will not be sanitized or escaped. If you include content from an untrusted source, your page will be vulnerable to cross-site scripting attacks.',
+    'TEXT',
+    FALSE,
+    TRUE
+);
+
+-- Insert example(s) for the component
+INSERT INTO example (component, description, properties) VALUES (
+    'html',
+    'Include a simple HTML snippet. In this example, the HTML code is hardcoded in the SQL query, so it is safe. You should never include data that may be manipulated by a user in the HTML content.
+    ',
+    JSON('[{
+        "component": "html",
+        "html": "<h1 class=\"text-blue\">This text is safe because it is <mark>hardcoded</mark>!</h1>"
+    }]')
+),
+(
+    'html',
+    'Include multiple html snippets as row-level parameters. Again, be careful what you include in the HTML content. If the data comes from a user, it can be manipulated to include malicious code.',
+    JSON('[{"component":"html"},
+    {"html":"<h1>First snippet</h1>"},
+    {"html":"<h2>Second snippet</h2>"},
+    {"html":"<h3>Third snippet</h3>"}]')
+)
+;
diff --git a/sqlpage/templates/html.handlebars b/sqlpage/templates/html.handlebars
@@ -0,0 +1,2 @@
+{{{~html~}}}
+{{~#each_row~}}{{{~html~}}}{{~/each_row~}}
diff --git a/src/webserver/database/sqlpage_functions/functions.rs b/src/webserver/database/sqlpage_functions/functions.rs
@@ -1,5 +1,5 @@
 use super::RequestInfo;
-use crate::webserver::{database::execute_queries::DbConn, http::SingleOrVec, ErrorWithStatus};
+use crate::webserver::{database::execute_queries::DbConn, request_variables::ParamMap, http::SingleOrVec, ErrorWithStatus};
 use anyhow::{anyhow, Context};
 use futures_util::StreamExt;
 use mime_guess::mime;
@@ -28,7 +28,7 @@ super::function_definition_macro::sqlpage_functions! {
     read_file_as_data_url((&RequestInfo), file_path: Option<Cow<str>>);
     read_file_as_text((&RequestInfo), file_path: Option<Cow<str>>);
     request_method((&RequestInfo));
-    run_sql((&RequestInfo, &mut DbConn), sql_file_path: Option<Cow<str>>);
+    run_sql((&RequestInfo, &mut DbConn), sql_file_path: Option<Cow<str>>, variables: Option<Cow<str>>);
 
     uploaded_file_mime_type((&RequestInfo), upload_name: Cow<str>);
     uploaded_file_path((&RequestInfo), upload_name: Cow<str>);
@@ -348,6 +348,7 @@ async fn run_sql<'a>(
     request: &'a RequestInfo,
     db_connection: &mut DbConn,
     sql_file_path: Option<Cow<'a, str>>,
+    variables: Option<Cow<'a, str>>,
 ) -> anyhow::Result<Option<Cow<'a, str>>> {
     use serde::ser::{SerializeSeq, Serializer};
     let Some(sql_file_path) = sql_file_path else {
@@ -365,6 +366,11 @@ async fn run_sql<'a>(
         .await
         .with_context(|| format!("run_sql: invalid path {sql_file_path:?}"))?;
     let mut tmp_req = request.clone();
+    if let Some(variables) = variables {
+        let variables: ParamMap = serde_json::from_str(&variables)?;
+        tmp_req.get_variables = variables;
+        tmp_req.post_variables = Default::default();
+    }
     if tmp_req.clone_depth > 8 {
         anyhow::bail!("Too many nested inclusions. run_sql can include a file that includes another file, but the depth is limited to 8 levels. \n\
         Executing sqlpage.run_sql('{sql_file_path}') would exceed this limit. \n\
diff --git a/tests/display_text.sql b/tests/display_text.sql
@@ -0,0 +1 @@
+select 'html' as component, $html as html;
diff --git a/tests/sql_test_files/it_works_run_sql_from_database.sql b/tests/sql_test_files/it_works_run_sql_from_database.sql
@@ -0,0 +1,7 @@
+select 'dynamic' as component,
+    sqlpage.run_sql('tests/display_text.sql', CONCAT('{"html": "', html,'"}')) as properties
+from (
+    select 'It ' as html
+    union all
+    select 'works !'
+);

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+{{{~html~}}}`
	`2`	`+{{~#each_row~}}{{{~html~}}}{{~/each_row~}}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+select 'html' as component, $html as html;`