Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't use predefined string as Stmt in Client.Mgmt #33

Closed
talsheldon opened this issue Jun 21, 2020 · 3 comments
Closed

Can't use predefined string as Stmt in Client.Mgmt #33

talsheldon opened this issue Jun 21, 2020 · 3 comments
Assignees
@element-of-surprise
Labels
wontfix This will not be worked on

Comments

@talsheldon
Copy link

I have some management statements that I want to execute through the client.
These statements are built with fmt.Sprintf.

 command := fmt.Sprintf(...)
if _, err := client.Mgmt(ctx, db, command); err != nil {
	return err
}

So I saw the query is supposed to be of type Stmt, but I didn't find how to convert this string to Stmt.

When using NewStmt, I can only use a raw string as input, but not a predefined one:

working := kustoSDK.NewStmt("some command")
query := "some command"
notWorking := kustoSDK.NewStmt(query)

Am I missing something? How can I fix this issue?

I'm using azure-kust-go version 0.1.3 and go version go1.13.12 darwin/amd64
@element-of-surprise
Copy link
Member

So Kusto by default uses the Stmt type to enforce that string constants are used. This prevents and entire range of SQL-like injection attacks. Most SQL like APIs are unsafe by default requiring you to turn on safety. Because of a language trick in Go, we have the option to make

There are two ways to input variable substitution. One is through the use of query parameters and the other is the unsafe package.

Mgmt calls uses an old version API, so I don't think it supports query parameters for substitution. If you need to do string substitution as above, you will probably need to use the unsafe package.

stmt := NewStmt("", kusto.UnsafeStmt(unsafe.Stmt{Add: true}).UnsafeAdd(yourStr)

This will let you add whatever you want, but as it says in the package name, this is "unsafe". Which really means, you need to scrub your inputs if you are allowing outside data to affect you Mgmt call.

@element-of-surprise element-of-surprise added the wontfix This will not be worked on label Jun 24, 2020
@element-of-surprise element-of-surprise self-assigned this Jun 24, 2020
@jrauschenbusch
Copy link

@element-of-surprise Will there ever be a way to use query parameter for Mgmt calls? If yes, is there already an ETA?

@element-of-surprise
Copy link
Member

@jrauschenbusch
Ever is a long time, so I can't answer that for the long term. The backend doesn't support them at this time and I am not aware of any plans to support Mgmt calls in the V2 backends (however I am not on Kusto dev).

I'm not sure of the exact procedure for getting new features, but Kusto does have a forum for requesting things and getting them upvoted:
https://feedback.azure.com/forums/915733-azure-data-explorer

You might also be able to do this by opening a support ticket or working through account reps, etc....

The SDK can support them if the backends add support.

@jrauschenbusch jrauschenbusch mentioned this issue Dec 13, 2020
Closed
@yardenoff yardenoff mentioned this issue Jan 31, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@element-of-surprise element-of-surprise

Labels
wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jrauschenbusch @element-of-surprise @talsheldon