add(dictionary):数据字典增加mysql的视图、触发器、存储过程、函数、定时任务的展示#3170
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| ) | ||
|
|
||
|
|
||
| def get_export_full_path(base_dir: str, instance_name: str, db_name: str) -> str: |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3170 +/- ##
==========================================
+ Coverage 82.25% 82.44% +0.19%
==========================================
Files 136 136
Lines 21759 22122 +363
==========================================
+ Hits 17897 18239 +342
- Misses 3862 3883 +21 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0f078b3314
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: efaa89e068
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| instance = Instance.objects.get( | ||
| instance_name=instance_name, db_type=db_type | ||
| ) |
There was a problem hiding this comment.
For users who have sql.menu_data_dictionary but are not assigned to a target instance's resource group, these new detail endpoints still fetch Instance globally from request-controlled instance_name/db_type. A direct call to /data_dictionary/procedure_info/, /function_info/, /event_info/, etc. can therefore return routine/event DDL from an instance the UI would not list for that user; use user_instances(request.user, db_type=[...]).get(...) (as the export path does) before creating the engine.
Useful? React with 👍 / 👎.
| instance = Instance.objects.get( | ||
| instance_name=instance_name, db_type=db_type | ||
| ) |
There was a problem hiding this comment.
For users who have sql.menu_data_dictionary but are not assigned to a target instance's resource group, these new list endpoints still resolve Instance globally from request-controlled instance_name/db_type. A direct call to /data_dictionary/view_list/, /procedure_list/, etc. can enumerate object names and comments from instances the UI would not list for that user; use user_instances(request.user, db_type=[...]).get(...) before creating the engine.
Useful? React with 👍 / 👎.
| db_name = query_engine.escape_string(db_name) | ||
| obj_name = query_engine.escape_string(obj_name) |
There was a problem hiding this comment.
When an object name contains characters that escape_string changes (for example a procedure named with a single quote), this pre-escaped value is then used as a bound parameter in the information_schema equality checks inside the engine methods and also as the identifier for SHOW CREATE. The lookup no longer matches the actual object name, so the detail modal/API returns empty metadata or a failed SHOW CREATE for valid MySQL identifiers; keep the raw request value for parameterized queries and only escape when constructing an identifier.
Useful? React with 👍 / 👎.
| db_name = query_engine.escape_string(db_name) | ||
| data = getattr(query_engine, engine_method)(db_name=db_name) |
There was a problem hiding this comment.
The database dropdown is populated via instance_resource, which applies show_db_name_regex/denied_db_name_regex before exposing databases, but these new object endpoints accept any request db_name and immediately query it. On an otherwise authorized instance with denied databases, a direct call to /data_dictionary/procedure_list/ (or the other new list/detail endpoints) can enumerate routines/events/views in databases intentionally hidden from the user; reject db_name values that would be filtered before calling the engine.
Useful? React with 👍 / 👎.
| db_name = query_engine.escape_string(db_name) | ||
| data = getattr(query_engine, engine_method)(db_name=db_name) |
There was a problem hiding this comment.
When a MySQL database name contains characters that escape_string changes (for example a quoted identifier containing '), this pre-escaped value is then passed both as the connection database and as a bound parameter to the information_schema queries. The lookup targets the escaped spelling instead of the actual schema, so all of the new object list/detail APIs return empty data or connection errors for valid schema names; pass the raw db_name to parameterized calls and only escape when interpolating into SQL text.
Useful? React with 👍 / 👎.
This reverts commit 876ef99.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c8eaedeaac
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| var jumpBoxStr = '<a href="#cap-' + k + '" style="margin-left:0.4em;"><strong>' + k + '</strong></a>'; | ||
| $('#jumpbox').append(jumpBoxStr); | ||
| $('#indexTable').append('<tr class="cap" id="cap-' + k + '">' + | ||
| '<td></td>' + |
There was a problem hiding this comment.
The first-character bucket key k is interpolated directly into href, id, and HTML text, so object names that start with special identifier characters (for example " in quoted MySQL identifiers) can break the generated markup and prevent navigation/rendering, and in browser parsing edge cases can become an injection primitive. This path is new for view/trigger/routine/event lists, so the dictionary page can fail for valid object names unless k is escaped (or rendered with DOM APIs/text nodes).
Useful? React with 👍 / 👎.
| _create = self.query(db_name, f"SHOW CREATE PROCEDURE `{proc_name}`;") | ||
| create_sql = _create.rows |
There was a problem hiding this comment.
query() stores SQL failures in ResultSet.error instead of raising, but the new detail methods ignore that field and always return success payloads with create_sql rows (often empty). For accounts that can list routines/events but lack SHOW_ROUTINE/EVENT visibility, SHOW CREATE ... can return NULL/error and the API still responds with status 0, causing silently incorrect detail modals instead of an actionable authorization error.
Useful? React with 👍 / 👎.
| _create = self.query(db_name, f"SHOW CREATE PROCEDURE `{proc_name}`;") | ||
| create_sql = _create.rows |
There was a problem hiding this comment.
query() stores SQL failures in ResultSet.error instead of raising, but the new detail methods ignore that field and always return success payloads with create_sql rows (often empty). For accounts that can list routines/events but lack SHOW_ROUTINE/EVENT visibility, SHOW CREATE ... can fail (or return inaccessible definitions) and the API still responds with status 0, causing silently incorrect detail modals instead of an actionable authorization error.
Useful? React with 👍 / 👎.
| result = self.query(db_name=db_name, sql=sql, parameters={"db_name": db_name}) | ||
| for row in result.rows: | ||
| view_name = row[0] |
There was a problem hiding this comment.
The new list paths treat self.query(...) as successful even when it returns ResultSet.error (for example when the connected account lacks metadata privileges such as SHOW VIEW/trigger visibility). Because result.error is never checked, these endpoints return status 0 with empty groups, which is indistinguishable from “no objects exist” and breaks troubleshooting/permission diagnosis for users.
Useful? React with 👍 / 👎.
2 participants
#2173
关系型数据库,基本都有视图、触发器、存储过程、函数、定时任务等,目前在engine增加了相关公用方法,在mysql engine补充了相关实现逻辑。
在选择数据库之后,增加了筛选栏,默认显示表。
目前只增加了mysql数据库的实现。
导出逻辑和之前一样,只导出表相关信息,新增的存储过程等,不实现导出功能。