Prevent TypeError when bytes passed to cursor.execute with debug middleware #1303
+2
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Just following up on this - do I need to do anything to move this into review? I can add tests but wanted to confirm that this wouldn't be a wontfix before doing so. |
|
@bpartridge Hello, sorry it took so long, we are revisiting this now, can you add tests please? |
mahdyhamad
requested changes
Apr 16, 2023
There was a problem hiding this comment.
Thank you, @bpartridge
Please rebase your branch and make sure all tests pass
|
Hi all, sorry I missed the comments from April here. I'll rebase this branch on main and add unit tests this week! |
…ware If DjangoDebugMiddleware is installed, calling `cursor.execute(b)` where b is a `bytes` object causes the recording (and thus the entire database call) to throw a TypeError due to https://github.com/graphql-python/graphene-django/blob/775644b5369bdc5fbb45d3535ae391a069ebf9d4/graphene_django/debug/sql/tracking.py#L126 : ``` "is_select": sql.lower().strip().startswith("select"), ``` Calling execute with a bytes parameter, to my knowledge, is not currently done within the high-level abstractions in the Django ORM, but is very much supported by psycopg2, as evidenced by the use in psycopg2's own `execute_values` in https://github.com/psycopg/psycopg2/blob/2_9_3/lib/extras.py#L1270 : ``` cur.execute(b''.join(parts)) ``` This fix ensures that the sql parameter is safely decoded before scanning whether it begins with SELECT; since this is the only usage, the change is trivial. The only workaround if code calls execute_values is to disable the DjangoDebugMiddleware altogether, which is far from ideal.
bpartridge
force-pushed
the
debug-middleware-sql-bytes
branch
from
6210273 to
7365ee3
Compare
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If DjangoDebugMiddleware is installed, calling
cursor.execute(b)where b is abytesobject causes the recording (and thus the entire database call) to throw a TypeError due tographene-django/graphene_django/debug/sql/tracking.py
Line 126 in 775644b
Calling execute with a bytes parameter, to my knowledge, is not currently done within the high-level abstractions in the Django ORM, but is very much supported by psycopg2, as evidenced by the use in psycopg2's own
execute_valuesin https://github.com/psycopg/psycopg2/blob/2_9_3/lib/extras.py#L1270 which codebases may use when bypassing the ORM:This fix ensures that the sql parameter is safely decoded before scanning whether it begins with SELECT; since this is the only usage, the change is trivial.
The only workaround if code calls execute_values is to disable the DjangoDebugMiddleware altogether, which is far from ideal.