* display correct error message when attempting to disable yourself
* 403 (Forbidden) feels like a better status code than 400 (Bad Request)
* fix broken test
* remove redundant error title
* add SQLQuery class with tests for safe queries and non-safe tautology attacks
* add test for union query injections
* split .apply calls to newline
* add tests for comment attacks
* remove double underscore
* extract complex children check to variable
* inherit from object because I'm not a lamer
Co-Authored-By: rauchy <omer@rauchy.net>
* simplify cognitive complexity
* check that additional columns are not injected
* detect appended queries
* inline .apply calls
* move SQLQuery to it's own module
* move SQLQuery tests to their own module
* serialize SQLQuery instances
* raise an exception when attempting to serialize an unsafe query
* queries without parameters are safe
* remove redundant parentheses
* use cached properties
* rename SQLInjectionException to SQLInjectionError
* support multiple word params and param negations
* refactor out methods that don't involve any state
* don't cache text()
* reduce cognitive complexity
* Fix tag counts for dashboards to be distinct.
This also makes use of the Dashboard.all base query.
Fix#3108.
* Use Query.all_queries as the base query for Query.all_tags.
* Add test case for Dashboard.all_tags.
* avoid Query's updated_at from changing when it is linked to new query results
* move comment to previous line
* move QueryResult tests to their own module
* add test which verifies that updated_at is not changed on query data
updates
* tests were false positives - they compared HH:MM:SS, but that never
changed because the original time was 1 week behind.
* remove redundant constructor
* remove hack and use a proper event to prevent updated_at from changing
* use self.assertEqual instead of assert
* Prevent open redirection attack
* Add redirection url after logging in test
* Sanitize url just before redirecting it
* Consider when next parameter is None
* Consistently use simplejson to loading and dumping JSON.
This introduces the new functions redash.utils.json_dumps and redash.utils.json_loads and simplifies the custom encoder setup.
UUIDs are now handled by the default encoder, too.
Fixes#2807.
Use string comparison in parse_boolean instead of the (simple)json module.
