Add query-type whitelist to unified SQL execution path (#5330)

dai-chen · web-flow · commit 3f740fbbfaed · 2026-04-13T10:39:10.000-07:00
Validate parsed SQL statements against Calcite's SqlKind.QUERY set
before planning, rejecting DML (INSERT, DELETE, UPDATE, MERGE) and DDL
statements. This brings the unified path in line with the legacy
grammar's parser-level restriction to read-only queries.

Whitelist: SqlKind.QUERY (SELECT, UNION, INTERSECT, EXCEPT, VALUES,
WITH, ORDER_BY, EXPLICIT_TABLE).

Note: EXPLAIN is also blocked because Calcite's SqlToRelConverter does
not handle SqlExplain in convertQueryRecursive. Supporting EXPLAIN
requires unwrapping the inner query and formatting the plan separately.

Signed-off-by: Chen Dai &lt;daichen@amazon.com&gt;
diff --git a/api/src/main/java/org/opensearch/sql/api/UnifiedQueryPlanner.java b/api/src/main/java/org/opensearch/sql/api/UnifiedQueryPlanner.java
@@ -14,6 +14,7 @@
 import org.apache.calcite.rel.RelRoot;
 import org.apache.calcite.rel.core.Sort;
 import org.apache.calcite.rel.logical.LogicalSort;
+import org.apache.calcite.sql.SqlKind;
 import org.apache.calcite.sql.SqlNode;
 import org.apache.calcite.tools.Frameworks;
 import org.apache.calcite.tools.Planner;
@@ -60,8 +61,7 @@ public UnifiedQueryPlanner(UnifiedQueryContext context) {
   public RelNode plan(String query) {
     try {
       return context.measure(ANALYZE, () -> strategy.plan(query));
-    } catch (SyntaxCheckException e) {
-      // Re-throw syntax error without wrapping
+    } catch (SyntaxCheckException | UnsupportedOperationException e) {
       throw e;
     } catch (Exception e) {
       throw new IllegalStateException("Failed to plan query", e);
@@ -82,6 +82,11 @@ private static class CalciteNativeStrategy implements PlanningStrategy {
     public RelNode plan(String query) throws Exception {
       try (Planner planner = Frameworks.getPlanner(context.getPlanContext().config)) {
         SqlNode parsed = planner.parse(query);
+        if (!parsed.isA(SqlKind.QUERY)) {
+          throw new UnsupportedOperationException(
+              "Only query statements are supported. Got: " + parsed.getKind());
+        }
+
         SqlNode rewritten = parsed.accept(NamedArgRewriter.INSTANCE);
         SqlNode validated = planner.validate(rewritten);
         RelRoot relRoot = planner.rel(validated);
diff --git a/api/src/test/java/org/opensearch/sql/api/UnifiedQueryPlannerSqlTest.java b/api/src/test/java/org/opensearch/sql/api/UnifiedQueryPlannerSqlTest.java
@@ -8,6 +8,7 @@
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertThrows;
 
+import java.util.List;
 import java.util.Map;
 import org.apache.calcite.schema.Schema;
 import org.apache.calcite.schema.impl.AbstractSchema;
@@ -211,4 +212,50 @@ public void testSqlQueryPlanningWithMultipleCatalogs() {
   public void testInvalidSqlThrowsException() {
     assertThrows(IllegalStateException.class, () -> planner.plan("SELECT FROM"));
   }
+
+  @Test
+  public void testNonQueryStatementsBlockedByWhitelist() {
+    List.of(
+            """
+            INSERT INTO catalog.employees (id, name, age, department)
+            VALUES (99, 'injected', 0, 'hacked')\
+            """,
+            """
+            DELETE FROM catalog.employees
+            WHERE age > 30\
+            """,
+            """
+            UPDATE catalog.employees
+            SET department = 'Fired'
+            WHERE age > 50\
+            """,
+            """
+            EXPLAIN PLAN FOR
+            SELECT * FROM catalog.employees\
+            """,
+            """
+            MERGE INTO catalog.employees AS t
+            USING (SELECT 99 AS id) AS s ON t.id = s.id
+            WHEN MATCHED THEN UPDATE SET name = 'hacked'\
+            """)
+        .forEach(
+            sql ->
+                givenInvalidQuery(sql).assertErrorMessage("Only query statements are supported"));
+  }
+
+  @Test
+  public void testNonQueryStatementsBlockedByParser() {
+    List.of(
+            """
+            CREATE MATERIALIZED VIEW mv AS
+            SELECT department, count(*)
+            FROM catalog.employees
+            GROUP BY department\
+            """,
+            """
+            SHOW TABLES\
+            """)
+        .forEach(
+            sql -> givenInvalidQuery(sql).assertErrorMessage("Incorrect syntax near the keyword"));
+  }
 }
diff --git a/api/src/test/java/org/opensearch/sql/api/UnifiedQueryPlannerTest.java b/api/src/test/java/org/opensearch/sql/api/UnifiedQueryPlannerTest.java
@@ -106,7 +106,7 @@ public void testPPLQueryPlanningWithMultipleCatalogsAndDefaultNamespace() {
     assertNotNull("Plan should be created with multiple catalogs", plan);
   }
 
-  @Test(expected = IllegalStateException.class)
+  @Test(expected = UnsupportedOperationException.class)
   public void testUnsupportedStatementType() {
     planner.plan("explain source = catalog.employees"); // explain statement
   }

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ public void testPPLQueryPlanningWithMultipleCatalogsAndDefaultNamespace() {`
`106`	`106`	`assertNotNull("Plan should be created with multiple catalogs", plan);`
`107`	`107`	`}`
`108`	`108`
`109`		`- @Test(expected = IllegalStateException.class)`
	`109`	`+ @Test(expected = UnsupportedOperationException.class)`
`110`	`110`	`public void testUnsupportedStatementType() {`
`111`	`111`	`planner.plan("explain source = catalog.employees"); // explain statement`
`112`	`112`	`}`