Skip to content

Feature/tasks architectural refactoring #283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MOHITKOURAV01 wants to merge 8 commits into
base: main
Choose a base branch
from
+51 −19
Open

Feature/tasks architectural refactoring #283

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8dc0b56
security: implement SQL parameterization and table whitelisting in da…
MOHITKOURAV01 Mar 20, 2026
83abbf5
Architectural refactoring: Move list_datasets logic to database layer…
MOHITKOURAV01 Mar 20, 2026
193a0dd
Address review feedback: Hoist allowed_tables, refactor quality_claus…
MOHITKOURAV01 Mar 20, 2026
567f15c
Fix SQLAlchemy ArgumentError: conditionally bind data_ids
MOHITKOURAV01 Mar 20, 2026
7d8d391
Architectural refactoring: Move task template lookup logic to databas…
MOHITKOURAV01 Mar 21, 2026
2054eb7
Address final review feedback: implement PK mapping and validation gu…
MOHITKOURAV01 Mar 21, 2026
db9b7fb
Address final CodeRabbit review: fix list_datasets signature, expansi…
MOHITKOURAV01 Mar 22, 2026
778faa8
Revert dataset list sanitation and keep lookup table checks as reques…
MOHITKOURAV01 Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 26 additions & 1 deletion src/database/tasks.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,15 @@
from collections.abc import Sequence
from typing import cast

from sqlalchemy import Row, text
from sqlalchemy import Row, RowMapping, text
from sqlalchemy.ext.asyncio import AsyncConnection

ALLOWED_LOOKUP_TABLES = ["estimation_procedure", "evaluation_measure", "task_type", "dataset"]
Copy link
Copy Markdown
Contributor

@PGijsbers PGijsbers Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How did you determine which tables to allow? It's been a little while since I've looked at this code so correct me if I am wrong, but based on the docstring of fill_template it seems that LOOKUP statements always must reference a table that is a input in task_inputs.

PK_MAPPING = {
"task_type": "ttid",
"dataset": "did",
}


async def get(id_: int, expdb: AsyncConnection) -> Row | None:
row = await expdb.execute(
Expand Down Expand Up @@ -115,3 +121,22 @@ async def get_tags(id_: int, expdb: AsyncConnection) -> list[str]:
)
tag_rows = rows.all()
return [row.tag for row in tag_rows]


async def get_lookup_data(table: str, id_: int, expdb: AsyncConnection) -> RowMapping | None:
if table not in ALLOWED_LOOKUP_TABLES:
msg = f"Table {table} is not allowed for lookup."
raise ValueError(msg)

pk = PK_MAPPING.get(table, "id")
result = await expdb.execute(
text(
f"""
SELECT *
FROM {table}
WHERE `{pk}` = :id_
""", # noqa: S608
),
parameters={"id_": id_},
)
return result.mappings().one_or_none()
43 changes: 25 additions & 18 deletions src/routers/openml/tasks.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
from typing import Annotated, cast

import xmltodict
from fastapi import APIRouter, Depends
from sqlalchemy import RowMapping, text
from fastapi import APIRouter, Depends, HTTPException
from sqlalchemy import RowMapping
from sqlalchemy.ext.asyncio import AsyncConnection

import config
Expand All @@ -17,6 +17,7 @@
router = APIRouter(prefix="/tasks", tags=["tasks"])

type JSON = dict[str, "JSON"] | list["JSON"] | str | int | float | bool | None
ALLOWED_LOOKUP_TABLES = {"estimation_procedure", "evaluation_measure", "task_type", "dataset"}
Copy link
Copy Markdown
Contributor

@PGijsbers PGijsbers Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ALLOWED_LOOKUP_TABLES = {"estimation_procedure", "evaluation_measure", "task_type", "dataset"}

This variable does not seem to be used.



def convert_template_xml_to_json(xml_template: str) -> dict[str, JSON]:
Expand Down Expand Up @@ -95,7 +96,7 @@ async def fill_template(
)


async def _fill_json_template( # noqa: C901
async def _fill_json_template( # noqa: C901, PLR0912
template: JSON,
task: RowMapping,
task_inputs: dict[str, str | int],
Expand Down Expand Up @@ -128,23 +129,29 @@ async def _fill_json_template( # noqa: C901
(field,) = match.groups()
if field not in fetched_data:
table, _ = field.split(".")
result = await connection.execute(
text(
f"""
SELECT *
FROM {table}
WHERE `id` = :id_
""", # noqa: S608
),
# Not sure how parametrize table names, as the parametrization adds
# quotes which is not legal.
parameters={"id_": int(task_inputs[table])},
)
rows = result.mappings()
row_data = next(rows, None)
# List of tables allowed for [LOOKUP:table.column] directive.
# This is a security measure to prevent SQL injection via table names.
if table not in task_inputs or not task_inputs[table]:
msg = f"Missing or empty input for lookup table: {table}"
raise HTTPException(status_code=400, detail=msg)

try:
id_val = int(task_inputs[table])
except ValueError:
msg = f"Invalid integer id for table {table}: {task_inputs[table]}"
raise HTTPException(status_code=400, detail=msg) from None

try:
row_data = await database.tasks.get_lookup_data(
table=table,
id_=id_val,
expdb=connection,
)
except ValueError as e:
raise HTTPException(status_code=400, detail=str(e)) from e
if row_data is None:
msg = f"No data found for table {table} with id {task_inputs[table]}"
raise ValueError(msg)
raise HTTPException(status_code=400, detail=msg)
for column, value in row_data.items():
fetched_data[f"{table}.{column}"] = value
if match.string == template:
Expand Down