From 37a3a61fb13b0c56fcc10bf8ef01f4885a58dae8 Mon Sep 17 00:00:00 2001 From: Charles Blackmon-Luca <20627856+charlesbluca@users.noreply.github.com> Date: Thu, 7 Apr 2022 14:05:47 -0400 Subject: [PATCH] Disable SQL server functionality (#448) * Disable SQL server functionality * Update docs/source/server.rst Co-authored-by: Ayush Dattagupta * Disable server at lowest possible level * Skip all server tests * Add tests to ensure server is disabled * Fix CVE fix test Co-authored-by: Ayush Dattagupta --- continuous_integration/recipe/meta.yaml | 6 ++- dask_sql/__init__.py | 7 ++- dask_sql/context.py | 2 +- dask_sql/server/app.py | 3 ++ docs/source/server.rst | 4 ++ setup.py | 3 +- tests/integration/test_cve_fix.py | 16 +++++++ tests/integration/test_jdbc.py | 5 ++ tests/integration/test_server.py | 63 +++++++++++++------------ 9 files changed, 74 insertions(+), 35 deletions(-) create mode 100644 tests/integration/test_cve_fix.py diff --git a/continuous_integration/recipe/meta.yaml b/continuous_integration/recipe/meta.yaml index a56bd15c2..15d8e37ee 100644 --- a/continuous_integration/recipe/meta.yaml +++ b/continuous_integration/recipe/meta.yaml @@ -15,7 +15,8 @@ build: number: {{ GIT_DESCRIBE_NUMBER }} noarch: python entry_points: - - dask-sql-server = dask_sql.server.app:main + # TODO: re-enable server once CVEs are resolved + # - dask-sql-server = dask_sql.server.app:main - dask-sql = dask_sql.cmd:main string: py_{{ GIT_DESCRIBE_HASH }}_{{ GIT_DESCRIBE_NUMBER }} script: {{ PYTHON }} -m pip install . --no-deps -vv @@ -45,7 +46,8 @@ test: - dask_sql commands: - pip check - - dask-sql-server --help + # TODO: re-enable server once CVEs are resolved + # - dask-sql-server --help - dask-sql --help requires: - pip diff --git a/dask_sql/__init__.py b/dask_sql/__init__.py index d343a4c5c..96a70d873 100644 --- a/dask_sql/__init__.py +++ b/dask_sql/__init__.py @@ -3,9 +3,12 @@ from .cmd import cmd_loop from .context import Context from .datacontainer import Statistics -from .server.app import run_server + +# from .server.app import run_server __version__ = get_versions()["version"] del get_versions -__all__ = [__version__, cmd_loop, Context, run_server, Statistics] +# TODO: re-enable server once CVEs are resolved +# __all__ = [__version__, cmd_loop, Context, run_server, Statistics] +__all__ = [__version__, cmd_loop, Context, Statistics] diff --git a/dask_sql/context.py b/dask_sql/context.py index 98cc46e21..0449f4835 100644 --- a/dask_sql/context.py +++ b/dask_sql/context.py @@ -659,7 +659,7 @@ def run_server( from dask_sql.server.app import run_server self.stop_server() - self.server = run_server( + self.sql_server = run_server( context=self, client=client, host=host, diff --git a/dask_sql/server/app.py b/dask_sql/server/app.py index 634de3856..261f75831 100644 --- a/dask_sql/server/app.py +++ b/dask_sql/server/app.py @@ -276,6 +276,9 @@ def _init_app( context: Context = None, client: dask.distributed.Client = None, ): + # TODO: re-enable server once CVEs are resolved + raise NotImplementedError + app.c = context or Context() app.future_list = {} diff --git a/docs/source/server.rst b/docs/source/server.rst index 70ad902e9..8993d55fb 100644 --- a/docs/source/server.rst +++ b/docs/source/server.rst @@ -3,6 +3,10 @@ SQL Server ========== +.. warning:: + + ``dask-sql``'s SQL server functionality is currently exploitable and has been disabled until the exposed vulnerabilities can be resolved. + ``dask-sql`` comes with a small test implementation for a SQL server. Instead of rebuilding a full ODBC driver, we re-use the `presto wire protocol `_. diff --git a/setup.py b/setup.py index e63b9a3d5..98781fc8c 100755 --- a/setup.py +++ b/setup.py @@ -116,7 +116,8 @@ def build(self): }, entry_points={ "console_scripts": [ - "dask-sql-server = dask_sql.server.app:main", + # TODO: re-enable server once CVEs are resolved + # "dask-sql-server = dask_sql.server.app:main", "dask-sql = dask_sql.cmd:main", ] }, diff --git a/tests/integration/test_cve_fix.py b/tests/integration/test_cve_fix.py new file mode 100644 index 000000000..87ec03bf1 --- /dev/null +++ b/tests/integration/test_cve_fix.py @@ -0,0 +1,16 @@ +import pytest + +from dask_sql import Context +from dask_sql.server.app import _init_app, app + + +def test_run_server_disabled(c): + with pytest.raises(NotImplementedError): + c.run_server() + + +def test_init_app_disabled(): + c = Context() + c.sql("SELECT 1 + 1").compute() + with pytest.raises(NotImplementedError): + _init_app(app, c) diff --git a/tests/integration/test_jdbc.py b/tests/integration/test_jdbc.py index f8426ae46..2f6eb464b 100644 --- a/tests/integration/test_jdbc.py +++ b/tests/integration/test_jdbc.py @@ -7,6 +7,11 @@ from dask_sql.server.app import _init_app, app from dask_sql.server.presto_jdbc import create_meta_data +# TODO: re-enable server once CVEs are resolved +pytest.skip( + "SQL server is disabled until related CVEs are resolved", allow_module_level=True +) + # needed for the testclient pytest.importorskip("requests") diff --git a/tests/integration/test_server.py b/tests/integration/test_server.py index 88d08a4f7..c5c460903 100644 --- a/tests/integration/test_server.py +++ b/tests/integration/test_server.py @@ -5,6 +5,11 @@ from dask_sql import Context from dask_sql.server.app import _init_app, app +# TODO: re-enable server once CVEs are resolved +pytest.skip( + "SQL server is disabled until related CVEs are resolved", allow_module_level=True +) + # needed for the testclient pytest.importorskip("requests") @@ -23,6 +28,35 @@ def app_client(): app.client.close() +def get_result_or_error(app_client, response): + result = response.json() + + assert "nextUri" in result + assert "error" not in result + + status_url = result["nextUri"] + next_url = status_url + + counter = 0 + while True: + response = app_client.get(next_url) + assert response.status_code == 200 + + result = response.json() + + if "nextUri" not in result: + break + + next_url = result["nextUri"] + + counter += 1 + assert counter <= 100 + + sleep(0.1) + + return result + + def test_routes(app_client): assert app_client.post("/v1/statement", data="SELECT 1 + 1").status_code == 200 assert app_client.get("/v1/statement", data="SELECT 1 + 1").status_code == 405 @@ -174,32 +208,3 @@ def test_inf_table(app_client, user_table_inf): assert len(result["data"]) == 3 assert result["data"][1] == ["+Infinity"] assert "error" not in result - - -def get_result_or_error(app_client, response): - result = response.json() - - assert "nextUri" in result - assert "error" not in result - - status_url = result["nextUri"] - next_url = status_url - - counter = 0 - while True: - response = app_client.get(next_url) - assert response.status_code == 200 - - result = response.json() - - if "nextUri" not in result: - break - - next_url = result["nextUri"] - - counter += 1 - assert counter <= 100 - - sleep(0.1) - - return result