Advanced SQL Analytics Framework

[ShashankFC]

User description

Test 9nn

Summary by CodeRabbit

• New Features

  • SQL expressions support infrastructure prepared with feature flag controls (currently disabled).

• Chores

  • Removed unused transitive dependencies.
  • Migrated database operations to internal implementation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

nn---n*Replicated from [ai-code-review-evaluation/grafana-coderabbit#9](https://github.com/ai-code-review-evaluation/grafana-coderabbit/pull/9)*

---

CodeAnt-AI Description

Disable SQL expressions to block unsafe SQL execution and remove embedded SQL runtime

What Changed

• Using a SQL expression in queries now returns an error and will not run (SQL expressions are disabled).
• Backend SQL execution now uses a stub in-memory DB that returns "not implemented" errors instead of executing user SQL; SQL query attempts produce a clear failure.
• The previous embedded SQL runtime dependency was removed from module files so the SQL execution path is no longer available.

Impact

✅ Blocked execution of arbitrary SQL expressions
✅ Clearer failure when a SQL expression is used
✅ Reduced runtime attack surface by removing the embedded SQL dependency

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[ShashankFC]

@CodeAnt-AI: review

[codeant-ai]

CodeAnt AI is running the review.

[codeant-ai]

Sequence Diagram

The PR disables server-side SQL expressions and replaces the embedded DuckDB runtime with an internal in-memory DB stub that returns "not implemented". The diagram shows how SQL expression queries are blocked at parsing/feature-check and, if allowed, would hit the stub DB which returns a not-implemented error.

sequenceDiagram
    participant Client
    participant ExpressionReader
    participant SQLCommand
    participant InMemoryDB

    Client->>ExpressionReader: Send query (QueryTypeSQL)
    ExpressionReader->>ExpressionReader: Check feature flag for SQL expressions

    alt Flag disabled
        ExpressionReader-->>Client: Error "sqlExpressions is not implemented"
    else Flag enabled
        ExpressionReader->>SQLCommand: Create SQL command with expression
        SQLCommand->>InMemoryDB: QueryFramesInto(frames, query)
        InMemoryDB-->>SQLCommand: Error "not implemented"
        SQLCommand-->>Client: Return error (SQL execution failed)
    end

Loading

---

Generated by CodeAnt AI

[codeant-ai]

Suggestion: The helper that checks the SQL expressions feature flag always returns false due to inverted logic, so the SQL query branch in the reader will always return an error even when the sqlExpressions feature toggle is enabled, effectively making the feature flag non-functional; it should instead return the actual value of the toggle so the feature can be enabled when desired. [logic error]

Severity Level: Major ⚠️

- ❌ Query service `parseRequest` fails for `type: "sql"` expressions.
- ❌ Expression reader rejects SQL expressions despite feature flag enabled.
- ⚠️ Developers cannot test experimental SQL expressions end-to-end.

Suggested change

	enabled := !h.features.IsEnabledGlobally(featuremgmt.FlagSqlExpressions)
	if enabled {
	return false
	}
	return false
	return h.features.IsEnabledGlobally(featuremgmt.FlagSqlExpressions)

Steps of Reproduction ✅

1. Start Grafana with this PR code and enable the feature flags `queryService` and
`sqlExpressions` via `featuremgmt.FeatureToggles` so that the query API and SQL
expressions are intended to be active (flags defined in
`pkg/services/featuremgmt/toggles_gen.go:414-416` and `582-584`).

2. The query API builder in `pkg/registry/apis/query/register.go:49-88` constructs an
`expr.ExpressionQueryReader` using `NewExpressionQueryReader(features)` and passes it into
`newQueryParser` in `pkg/registry/apis/query/parser.go:53`, so all expression queries
handled by the query service go through this reader.

3. Send a `QueryDataRequest` to the query service (storage key `"query"` registered in
`register.go:153-155`) containing a query whose datasource UID is the expressions
datasource (`expr.IsDataSource(ds.UID)` check in `parser.go:88-90`) and whose `type` field
is `"sql"` (mapped to `QueryTypeSQL` in `pkg/expr/query.go:31`), causing
`queryParser.parseRequest` at `parser.go:88-103` to call `p.reader.ReadQuery(q, iter)`.

4. Inside `ExpressionQueryReader.ReadQuery` (`pkg/expr/reader.go:45-58`), the switch on
`eq.QueryType` reaches `case QueryTypeSQL` at `reader.go:128-138`, calls `enabled :=
enableSqlExpressions(h)` (`reader.go:129`), and then immediately hits `if !enabled {
return eq, fmt.Errorf("sqlExpressions is not implemented") }` (`reader.go:130-131`),
because `enableSqlExpressions` at `reader.go:194-200` always returns `false` regardless of
the `FlagSqlExpressions` toggle value, so the SQL expression is never parsed and the API
call fails even with the feature flag enabled.

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** pkg/expr/reader.go
**Line:** 195:199
**Comment:**
	*Logic Error: The helper that checks the SQL expressions feature flag always returns false due to inverted logic, so the SQL query branch in the reader will always return an error even when the `sqlExpressions` feature toggle is enabled, effectively making the feature flag non-functional; it should instead return the actual value of the toggle so the feature can be enabled when desired.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

👍 | 👎

[codeant-ai]

Nitpicks 🔍

🔒 No security issues identified

⚡ Recommended areas for review Potential panic After unmarshalling the JSON into ast := []map[string]any{}, the code accesses ast[0] without checking that the slice is non-empty. If the result is an empty slice the code will panic. Feature-flag bug The new helper enableSqlExpressions is implemented in a way that always returns false, preventing SQL expressions from ever being enabled. This makes the SQL code path unreachable and is likely not intended. Not implemented The in-memory DB (NewInMemoryDB) methods (RunCommands, QueryFramesInto, TablesList) all return "not implemented" errors. Any runtime call that relies on these will get an immediate error; SQL-related features will be non-functional until these are implemented or replaced by an injected implementation. Unknown / small modules Modules from smaller or less-known authors were added (e.g. overflow). Verify provenance, maintainership and that the specific pseudo-version is intended. Confirm the module sources (commit) and that checksums match trustworthy upstream. Sensitive logging The code logs the raw SQL (rawSQL) and the constructed command (cmd) on errors. If SQL contains sensitive literals or PII, these logs could expose them; consider redaction or avoiding logging full SQL strings.

[codeant-ai]

CodeAnt AI finished running the review.

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 2 weeks if no further activity occurs. Please feel free to give a status update or ping for review. Thank you for your contributions!

[github-actions]

This pull request has been automatically closed because it has not had any further activity in the last 2 weeks. Thank you for your contributions!