Skip to content

fix(admin): Allow ClickHouse replace* functions in read-only query validation#7876

Open
xurui-c wants to merge 1 commit intomasterfrom
rachel/snubaadmin
Open

fix(admin): Allow ClickHouse replace* functions in read-only query validation#7876
xurui-c wants to merge 1 commit intomasterfrom
rachel/snubaadmin

Conversation

@xurui-c
Copy link
Copy Markdown
Member

@xurui-c xurui-c commented Apr 15, 2026

The snuba-admin query validator blocked any query containing the substring replace, which caused ClickHouse functions like replaceAll(), replaceRegexpAll(), etc. to be rejected with a validation error.

The intent of the replace entry in the blocklist is to prevent SQL DML statements like REPLACE TABLE or REPLACE INTO, not to block legitimate ClickHouse string functions. Switching to a word-boundary regex match (\breplace\b) for this keyword preserves the DML protection while allowing function names that begin with replace.

@xurui-c @claude
fix(admin): Allow ClickHouse replace* functions in read-only query va…
2a97d73 
…lidation

The keyword blocklist used a substring match for "replace", causing
ClickHouse functions like replaceAll() and replaceRegexpAll() to be
incorrectly rejected. Use a word-boundary regex match for "replace" so
only the SQL DML keyword (e.g. REPLACE TABLE) is blocked.

Co-Authored-By: Claude <noreply@anthropic.com>
@xurui-c xurui-c marked this pull request as ready for review April 15, 2026 18:26
@xurui-c xurui-c requested a review from a team as a code owner April 15, 2026 18:26
Copilot AI review requested due to automatic review settings April 15, 2026 18:26
Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts the snuba-admin read-only query validator to avoid falsely blocking ClickHouse string functions whose names start with replace, while still blocking REPLACE DML statements.

Changes:

  • Import re and switch replace keyword detection from substring matching to a word-boundary regex (\\breplace\\b).
  • Keep existing substring checks for other disallowed keywords unchanged.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread snuba/admin/clickhouse/common.py
for kw in disallowed_keywords:
if kw in lowered:
if kw == "replace":
if re.search(r"\breplace\b", lowered):
Copy link

Copilot AI Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The updated replace handling changes validation semantics, but there’s no corresponding test coverage to ensure replaceAll()/replaceRegexpAll() are allowed while DML like REPLACE INTO/TABLE is still rejected. Please add/adjust tests in the existing query validation test suite to cover both cases, so future keyword changes don’t regress this behavior.

Suggested change
if re.search(r"\breplace\b", lowered):
# Reject DML forms such as REPLACE INTO / REPLACE TABLE while
# allowing read-only function calls like replaceAll() and
# replaceRegexpAll().
if re.search(r"\breplace\s+(into|table)\b", lowered):

Copilot uses AI. Check for mistakes.
@MeredithAnya
Copy link
Copy Markdown
Member

MeredithAnya commented Apr 15, 2026

@xurui-c probs doesn't hurt to add a test to this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MeredithAnya MeredithAnya MeredithAnya approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xurui-c @MeredithAnya