Conversation
| @@ -2103,11 +2103,11 @@ async function persistMetadata(databricksClient, warehouseId, pixelsTable, datas | |||
| "warehouse_id": warehouseId, | |||
| "statement": `INSERT INTO ${pixelsTable} | |||
There was a problem hiding this comment.
This should not be in client side code: INSERT INTO ${pixelsTable}
There was a problem hiding this comment.
The client prepares the statement and calls the databricks app apis, the execution of the statement and the call of the sql warehouse api is happening in the databricks app. Any suggestion to improve it?
There was a problem hiding this comment.
@erinaldidb The recommendation is to pass simple parameters to the server.
Passing commands to the server requires complex parsing and safety checks.
Passing commands invites people to test diff command strings and either succeed in corrupting data or running UDFs or denial of service functions.
| extension, file_type, path_tags, is_anon, meta, thumbnail) | ||
| extension, file_type, path_tags, is_anon, meta) | ||
| VALUES ( | ||
| 'dbfs:/${dataset.path}', to_timestamp(unix_timestamp('${dataset.datetime}', 'yyyyMMddHHmmss')), '${dataset.length}', 'dbfs:/${dataset.path}', '${dataset.path}', '/${dataset.path}', |
There was a problem hiding this comment.
Leaving tables and paths open the to the client to overwrite with malicious values can be dangerous.
There was a problem hiding this comment.
Any changes in the client can always be overwritten, the security measures should be applied on server side ( databricks app )
2 participants
Refactor SQL insert statement in persistMetadata function to remove thumbnail field