search

lovasoa / SQLpage

Fast SQL-only data application builder. Automatically build a UI on top of SQL queries.
https://sql.datapage.app
MIT License
1.56k stars 89 forks source link

Off topic #186

Closed radim closed 8 months ago

radim commented 8 months ago

Hey, thank you for making SQLPage reality! One question re: security, is it intended behaviour I can execute externally migrations and any other .sql files in sqlite/migrations/?

Having said that, is there any way how to configure 'safe' location? I have tried to have a look at the source code and there's little protection as the read_to_string(app_state, path, true) which is always called as Priviledged == true (if that is the thing that makes the difference), and that's used in the evaluation safe_local_path. Initially i hoped the sqlpage location is going to be protected, but I can succesfully evaluate

curl -v http://localhost:8080/sqlpage/migrations/001_test.sql

(both using development and production mode).

Also how does the static_path is supposed to be used in custom components?

I guess I can have a look and create PR if you can provide some hints at the general idea around the security.

lovasoa commented 8 months ago

I reinstated the initial comment. Other people may have the same interrogations as you.

The SQLPage blocks access to the ./sqlpage/ folder by default, and makes the WEB_ROOT (the folder from which .sql files are served) configurable.