Comments (10)
@cbiffle and I were chatting about this before he filed the issue, and I was able to confirm they can (as he was writing it up!). I applied this diff to the Rust plugin demo:
--- a/src/main.rs
+++ b/src/main.rs
@@ -21,7 +21,7 @@ pub fn serialize_codegen_response(resp: &plugin::CodeGenResponse) -> Vec<u8> {
pub fn create_codegen_response() -> plugin::CodeGenResponse {
let mut file = plugin::File::default();
- file.name = "hello.txt".to_string();
+ file.name = "../../../../../../../../../tmp/escaped.txt".to_string();
file.contents = "Hello World".as_bytes().to_vec();
let mut resp = plugin::CodeGenResponse::default();
and after running it:
% cat /tmp/escaped.txt
Hello World
from sqlc.
nod Something like "plugins can send commands to sqlc to have files created in the output directory, but can't directly access the filesystem"
from sqlc.
Excellent question! As the documentation states, WASM plugins do not have any filesystem access. The output of a plugin is specified in the out
parameter. I need to investigate if plugin output can escape that directory using "..".
from sqlc.
WASM plugins do not have any filesystem access
It appears that they don't have filesystem access in the WASI sense, but that's a narrower statement. FWIW I also can't work out how to read the filesystem from a plugin, only write it, so, that's good.
from sqlc.
@jgallagher that looks conclusive to me. I'll get a PR up to fix the behavior. This could be a breaking change, so I'll need to decide if it can write to locations next to and under sqlc.json
or the specified out
directory.
Are you using sqlc at Oxide?
from sqlc.
Assuming this gets fixed, I might suggest rephrasing that statement to "plugins can only write files into their output directory," since "no access to the filesystem" suggests to me that they couldn't, say, deposit malware to it or fill it up -- and to be useful plugins the writing part is important!
Are you using sqlc at Oxide?
Not currently, but John and I both think it's a really neat idea.
from sqlc.
Yeah, it's a bit confusing to say that the plugins can write files, as they can't due to the sandbox. sqlc takes the output from the plugin and uses that to write the output files. I'm sure we can figure out some language that makes it clear what's happening.
from sqlc.
This doesn't include the necessary tests yet, but I believe #3195 should fix the issue.
from sqlc.
Alright, this should be fixed on main. Can you build sqlc from main and confirm your plugin now generates an error?
from sqlc.
Confirmed:
% sqlc-dev generate
# package sqlc-gen-rust
error generating code: invalid file output path: /tmp/escaped.txt
Thanks!
from sqlc.
Related Issues (20)
- SQL formatter? HOT 1
- Enums do not work with `ANY` queries HOT 1
- Rename struct property name when using sqlc.embed in multiple joins from same table HOT 2
- Named parameters shortcut not working for mysql HOT 2
- Can't override 'bigint' to be uint32 HOT 2
- `query_parameter_limit` breaks `batchexec` queries
- Option to Segregate Read and Write queries to have separate db users with each type of query. HOT 4
- `DELETE USING RETURNING` syntax error at or near ","
- Improve "Using transactions" documentation HOT 1
- CUSTOMIZE JSON TAG SQLC EMBED
- SQlite errors when setting `BOOLEAN` HOT 1
- Generation of required params struct is missing for CopyFrom query when using query_parameter_limit
- MySQL: Proper type for YEAR and TINYINT HOT 1
- SQLite: Add support for WHERE clause on the FTS5 Table Name
- A recursive subquery in WHERE clause fails to compile (with incorrect error message.)
- Option to print the exact query sent to the database before running it HOT 1
- Type inference for custom types silently fails
- Using go_type to reference package with dash in the name generates compile error
- Crash with unnamed subquery in FROM
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sqlc.