⚓ T318845 Disallow passing raw subqueries to IDatabase::tableName
Page MenuHomePhabricator
Create Task
Maniphest T318845

Disallow passing raw subqueries to IDatabase::tableName
Closed, ResolvedPublic
Actions

Description

This has been instrumented with a warning for a number of years and is generally considered an anti-pattern.

The good news is that this isn't actually a pattern we've had to move away from, it was just never really a thing in recent history.

Despite that, we have seen in two cases in recent years that changes to code accidentally resulted in this indirectly happening and we missed it for a while because it isn't enforced.

In T314189#8216809, @Ladsgroup wrote:

We are getting 1.3M/day warnings for bad use of table name in building queries in RC.

It's probably something […] turned on this week but this needs fixing.

This was caused by:

SpecialRecentChangesLinked: Pass query builder instead of SQL

https://gerrit.wikimedia.org/r/c/mediawiki/core/+/825078

And fixed in:

In T314189#8237478, @gerritbot wrote:

Change 831082 merged by jenkins-bot:

[mediawiki/core@master] rdbms: Allow SubQuery objects in SelectQueryBuilder as table

https://gerrit.wikimedia.org/r/831082

Proposal

Turn the warning into an exception. As suggested by @aaron:

In T191116#8269609, @aaron wrote:

Can this warning become an exception now (or the check removed completely)?

Details

SubjectRepoBranchLines +/-
rdbms: error out when passing raw subqueries to IDatabase::tableName()mediawiki/coremaster+4 -20
Customize query in gerrit

Related Objects
Search...

Event Timeline

Krinkle created this task.Sep 28 2022, 5:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 28 2022, 5:49 PM
Krinkle moved this task from Untriaged to Rdbms library on the MediaWiki-libs-Rdbms board.Sep 28 2022, 5:49 PM
Krinkle mentioned this in T191116: Wikimedia\Rdbms\Database::tableName: use of subqueries is not supported this way..
Krinkle moved this task from Inbox, needs triage to Backlog: Maintenance, non-prioritized on the Performance-Team board.Oct 17 2022, 7:09 PM
Krinkle removed a project: Performance-Team.Aug 11 2023, 7:53 PM
aaron claimed this task.Jan 22 2024, 4:40 PM
aaron added a project: MediaWiki-User-Interface.
aaron edited projects, added MW-Interfaces-Team; removed MediaWiki-User-Interface.
FJoseph-WMF moved this task from Incoming (Needs Triage) to Backlog (Triaged and Ready) on the MW-Interfaces-Team board.Jan 25 2024, 4:26 PM
gerritbot added a comment.Feb 14 2024, 9:26 PM

Change 1003545 had a related patch set uploaded (by Aaron Schulz; author: Aaron Schulz):

[mediawiki/core@master] rdbms: error out when passing raw subqueries to IDatabase::tableName()

https://gerrit.wikimedia.org/r/1003545

gerritbot added a project: Patch-For-Review.Feb 14 2024, 9:26 PM
gerritbot added a comment.Feb 15 2024, 3:24 PM

Change 1003545 merged by jenkins-bot:

[mediawiki/core@master] rdbms: error out when passing raw subqueries to IDatabase::tableName()

https://gerrit.wikimedia.org/r/1003545

Maintenance_bot removed a project: Patch-For-Review.Feb 15 2024, 3:30 PM
ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.19; 2024-02-20).Feb 15 2024, 5:00 PM
aaron closed this task as Resolved.Feb 22 2024, 4:13 PM
BlankEclair mentioned this in T373511: Special:AllComments is incompatible with MediaWiki 1.42.Aug 28 2024, 10:07 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits