Release - Export functionality, SQLite non-strict handling, support for the enterprise module #575
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps [github.com/ClickHouse/clickhouse-go/v2](https://github.com/ClickHouse/clickhouse-go) from 2.34.0 to 2.36.0. - [Release notes](https://github.com/ClickHouse/clickhouse-go/releases) - [Changelog](https://github.com/ClickHouse/clickhouse-go/blob/main/CHANGELOG.md) - [Commits](ClickHouse/clickhouse-go@v2.34.0...v2.36.0) --- updated-dependencies: - dependency-name: github.com/ClickHouse/clickhouse-go/v2 dependency-version: 2.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps the npm_and_yarn group in /frontend with 1 update: [brace-expansion](https://github.com/juliangruber/brace-expansion). Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <[email protected]>
- Wrap identifiers in double quotes in EscapeSpecificIdentifier - Use proper escaping for table names in COUNT queries - Escape table and column names in CREATE TABLE statements - Fixes "near '-': syntax error" with Chinese characters and special chars Fixes #502 Co-authored-by: Anguel <[email protected]>
- Add full keyboard navigation to dropdown component (Enter, Space, Arrow keys, Escape) - Implement proper ARIA attributes (aria-expanded, aria-haspopup, aria-labelledby) - Add focus management and visual focus indicators - Fix button components with proper aria-labels for screen readers - Associate labels with inputs using htmlFor attributes - Add keyboard support for password show/hide toggles - Make sidebar hover-only interactions keyboard accessible - Add semantic nav elements with proper ARIA roles - Convert table pagination divs to accessible buttons - Add keyboard support and ARIA labels for pagination Fixes #357 Co-authored-by: Anguel <[email protected]>
- Add ariaLabel prop to IActionButtonProps interface - Update ActionButton component to accept and use ariaLabel prop - Maintain backwards compatibility with default fallback - Fixes hardcoded "Action button" aria-label issue reported by jazzberry Co-authored-by: Anguel <[email protected]>
…ar, and table components - Fix dropdown focus loss on blur by adding proper blur/focus handlers with timeout management - Fix sidebar submenu focus management by improving timeout handling and escape key behavior - Add focus management to table pagination after page changes - focus returns to current/available page button Addresses jazzberry AI accessibility report issues: - Dropdown focus loss on blur (Medium severity) - Sidebar submenu focus management issue (Medium severity) - Table Pagination focus management after page change (Low severity) Co-authored-by: Anguel <[email protected]>
…agement
- Change main dropdown items from tabIndex={-1} to dynamic tabIndex based on focus state
- Update default item and no-items section to tabIndex={0} for proper keyboard event handling
- Ensures focused dropdown items can receive Enter/Space keydown events for selection
- Fixes issue where keyboard navigation worked but selection didn't
Co-authored-by: Anguel <[email protected]>
fix: improve accessibility across frontend components
Bumps [github.com/vektah/gqlparser/v2](https://github.com/vektah/gqlparser) from 2.5.27 to 2.5.28. - [Release notes](https://github.com/vektah/gqlparser/releases) - [Commits](vektah/gqlparser@v2.5.27...v2.5.28) --- updated-dependencies: - dependency-name: github.com/vektah/gqlparser/v2 dependency-version: 2.5.28 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
… + postgres since they're not using connection urls
…lidation - Replace improper backslash escaping with PostgreSQL libpq standard (double single quotes, double backslashes) - Add comprehensive validation for connection parameters to prevent injection attacks - Validate against null bytes and dangerous control characters - Fix extra options handling in gorm plugin to avoid URL escaping for PostgreSQL - Add parameter key validation for extra options - Ensure all connection parameters (hostname, username, password, database) are properly escaped and validated Follows PostgreSQL libpq connection string standards for security and compatibility. Co-authored-by: Anguel <[email protected]>
- Fix escapeConnectionParam to escape single quotes before backslashes - Prevents security vulnerability identified by jazzberry-ai - Ensures proper PostgreSQL libpq connection string escaping Co-authored-by: Anguel <[email protected]>
fix: Add proper identifier quoting for SQLite3 non-English characters
….com/vektah/gqlparser/v2-2.5.28 build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.27 to 2.5.28 in /core
…npm_and_yarn-6ea9762674 build(deps): bump brace-expansion from 1.1.11 to 1.1.12 in /frontend in the npm_and_yarn group
Bumps [gorm.io/driver/clickhouse](https://github.com/go-gorm/clickhouse) from 0.6.1 to 0.7.0. - [Commits](go-gorm/clickhouse@v0.6.1...v0.7.0) --- updated-dependencies: - dependency-name: gorm.io/driver/clickhouse dependency-version: 0.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…ation - Fix insecure TLS configuration: only enable TLS when SSLMode is not "none" or "disable" - Fix missing ReadOnly enforcement: set ClickHouse "readonly" setting when ReadOnly="enable" - Ensure InsecureSkipVerify is only used for "relaxed" mode, not for "none" Co-authored-by: Anguel <[email protected]>
….com/ClickHouse/clickhouse-go/v2-2.36.0 build(deps): bump github.com/ClickHouse/clickhouse-go/v2 from 2.34.0 to 2.36.0 in /core
…o/driver/clickhouse-0.7.0 build(deps): bump gorm.io/driver/clickhouse from 0.6.1 to 0.7.0 in /core
Replace vulnerable URL format DSN construction with secure key-value format.
The previous implementation using url.QueryEscape with string concatenation
allowed injection of DSN parameters through database names and other fields.
Security improvements:
- Use key-value DSN format ("host=... user=... dbname=...") instead of URL format
- Add parameter validation for extra options to prevent arbitrary DSN injection
- Remove manual string concatenation that enabled parameter injection
- Follow the same secure pattern as MySQL plugin implementation
Fixes critical SQL injection vulnerability where malicious database names
like "mydb;sslmode=disable" could bypass security settings.
Co-authored-by: Anguel <[email protected]>
Reverted PostgreSQL connection from key-value DSN format back to URL format as requested. Changes include: - Use postgresql:// URL scheme instead of key-value DSN - Maintain url.QueryEscape for basic parameter escaping - Handle ExtraOptions via url.Values encoding - Remove isValidPostgresParam validation function Co-authored-by: Anguel <[email protected]>
Replace vulnerable fmt.Sprintf DSN construction with Go's url.URL struct to prevent parameter injection attacks through malicious database names. - Use url.URL struct for proper component-specific escaping - Replace url.QueryEscape with appropriate URL component encoding - Maintain postgresql:// URL format as required - Prevent injection of connection parameters like ;sslmode=disable Fixes reported SQL injection vulnerability where crafted database names could inject arbitrary PostgreSQL connection parameters. Co-authored-by: Anguel <[email protected]>
Addresses PostgreSQL hostname injection vulnerability where malicious hostnames containing URL-reserved characters like '@' could inject connection parameters. Added validateHostname() function to reject hostnames with URL-reserved characters before URL construction. Attack vector blocked: evil.com:[email protected] Co-authored-by: Anguel <[email protected]>
Add validateDatabase() function to prevent URL-encoded forward slashes and path traversal patterns in database names. This blocks the reported attack vector %2f..%2f..%2f and other similar injection attempts. Security improvements: - Block URL-encoded forward slashes (%2f, %2F) - Block literal path traversal patterns (../, ..\) - Block other problematic URL-encoded characters - Maintain postgresql:// URL format as required Co-authored-by: Anguel <[email protected]>
Add validation for Windows-specific path traversal patterns (`./` and `.\`) to prevent directory traversal attacks on Windows systems. This addresses the security vulnerability where database names could contain current directory references to access unauthorized paths. Co-authored-by: Anguel <[email protected]>
Add validation to reject database names containing backtick characters which could be used for SQL injection attacks in PostgreSQL connections. Co-authored-by: Anguel <[email protected]>
- Enhanced validateDatabase function to handle path separator variations - Added validation for ..// and .// patterns that could bypass security - Path normalization prevents attacks using double forward slashes - Maintains all existing path traversal protections Co-authored-by: Anguel <[email protected]>
- Fixed CodeQL warnings about potentially unsafe quoting - Replaced fmt.Sprintf in all log statements with structured fields - Prevents single quotes in values from breaking log formatting - Follows best practices for logging user-provided data Co-authored-by: Anguel <[email protected]>
…' into enhanced_logging_and_mod_updates
eeEnhanced logging and mod updates
Bug Report
Comments? Email us. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Bug Report
Comments? Email us. |
Bug Report
Comments? Email us. |
Bug Report| Name | Severity | Example test case | Description | Comments? Email us. |
Bug Report
Comments? Email us. |
…r as it breaks their delete
Bug Report
Comments? Email us. |
Bug Report
Comments? Email us. |
feat(frontend): fix up authentication issue and sidebar hide schema for non support dbs and fix update
Bug Report
Comments? Email us. |
Bug Report
Comments? Email us. |
Bug Report
Comments? Email us. |
Bug Report
Comments? Email us. |
…ema issue and breadcrumbs nits
Bug Report
Comments? Email us. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
✨ Improvements
Export functionality for SQL databases, Elasticsearch, and MongoDB:
Backend sorting capability for the table headers
New UI and UX
Mock data generation
🐛 Bug Fixes
SQLite handling for non-strict tables
Support for the WhoDB Enterprise module
Table refresh issue
Scrolling bug
Dependabot updates
Thank you to everyone who contributed to this release! 🚀
Your feedback and support are invaluable.