feat: support allowedValues, escape, minValue and maxValue for parameters#1770
Merged
Conversation
## Description
---
Add new `allowedValues` field to all parameter type. It can be used as
follows (can be used in the `parameter` field or `templateParameter`
field):
```
parameter:
- name: tableName
type: string
description: table name.
allowedValues:
- flights_table
- tickets_table
```
Here, we introduce new fields as compared to the regular parameters:
| parameter name | type | required | description |
|------------------|-----|---------|-------------|
| allowedValues | []string | true | We will check input value against
this. User can either provide a list of allowed values or regex string.
|
## PR Checklist
---
> Thank you for opening a Pull Request! Before submitting your PR, there
are a
> few things you can do to make sure it goes smoothly:
- [x] Make sure you reviewed
[CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md)
- [x] Make sure to open an issue as a
[bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose)
before writing your code! That way we can discuss the change, evaluate
designs, and agree on the general idea
- [x] Ensure the tests and linter pass
- [x] Code coverage does not decrease (if any source code was changed)
- [x] Appropriate docs were updated (if necessary)
- [x] Make sure to add `!` if this involve a breaking change
🛠️ Fixes #779
supporting `backticks`, `double-quotes`, `single-quotes`,
`square-brackets` as escaping delimiters.
Example to apply escaping delimiters:
```
parameters:
- name: airline
type: string
description: Airline unique 2 letter identifier
escape: double-quotes
```
escaping delimiters can be used for identifiers or string literals. If
`allowedValues` were used, Toolbox will check for allowed values before
applying delimiters.
supporting `minValue` and `maxValue` for parameters of type `integer`
and `float`.
Example to apply escaping delimiters:
```
parameters:
- name: price
type: integer
description: price of item
minValue: 1
maxValue: 50
```
If `allowedValues` were used, Toolbox will check for allowed values
before checking for min and max values.
Contributor
duwenxin99
approved these changes
Oct 23, 2025
Contributor
|
🧨 Preview deployments removed. |
github-actions Bot
pushed a commit
that referenced
this pull request
Oct 23, 2025
…alue` for parameters (#1770) ## Description To minimize SQL injection risks when using template parameters, it is highly recommended that user utilizes the following added fields for parameters. ### Allow user to indicate allowed values via list or regex Add new `allowedValues` field to all parameter type. It can be used as follows (can be used in the `parameter` field or `templateParameter` field): ``` templateParameters: - name: tableName type: string description: table name. allowedValues: - flights_table - tickets_table - "^h.*" # support any words starting with the letter h ``` ### Support escaping delimiters for identifiers in string parameters Supporting `backticks`, `double-quotes`, `single-quotes`, `square-brackets` as escaping delimiters. Example to apply escaping delimiters: ``` # other fields statement: SELECT {{array .columnName}} FROM {{ .tableName }} templateParameters: - name: tableName type: string description: table name. escape: double-quotes - name: columnName type: array description: column names. items: name: column type: string description: Name of the column to select escape: double-quotes ``` This example will resolve to following: - * Data provided: `{"tableName": "table_name", "columnName": ["foo", "bar"]}` * Statement with escape: `SELECT "foo", "bar" FROM "table_name"` * Statement without escape: `SELECT foo, bar FROM table_name` Escaping delimiters can be used for identifiers (in template parameters) or string literals. If `allowedValues` were used, Toolbox will check for allowed values before applying delimiters. ### Support value range in numeric parameters Supporting `minValue` and `maxValue` for parameters of type `integer` and `float`. Example: ``` parameters: - name: price type: integer description: price of item minValue: 1 maxValue: 50 ``` If `allowedValues` were used, Toolbox will check for allowed values before checking for min and max values. ### References | parameter name | type | required | description | |------------------|-----|---------|-------------| | allowedValues | []string | true | We will check input value against this. User can either provide a list of allowed values or regex string. | | escape | string | false | Only available for type `string`. Indicate the escaping delimiters used for the parameter. This field is intended to be used with templateParameters. Must be one of "single-quotes", "double-quotes", "backticks", "square-brackets". | | minValue | int or float | false | Only available for type `integer` and `float`. Indicate the minimum value allowed. | | maxValue | int or float | false | Only available for type `integer` and `float`. Indicate the maximum value allowed. | ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change 🛠️ Fixes #779 eaf7740
github-actions Bot
pushed a commit
that referenced
this pull request
Oct 23, 2025
…alue` for parameters (#1770) ## Description To minimize SQL injection risks when using template parameters, it is highly recommended that user utilizes the following added fields for parameters. ### Allow user to indicate allowed values via list or regex Add new `allowedValues` field to all parameter type. It can be used as follows (can be used in the `parameter` field or `templateParameter` field): ``` templateParameters: - name: tableName type: string description: table name. allowedValues: - flights_table - tickets_table - "^h.*" # support any words starting with the letter h ``` ### Support escaping delimiters for identifiers in string parameters Supporting `backticks`, `double-quotes`, `single-quotes`, `square-brackets` as escaping delimiters. Example to apply escaping delimiters: ``` # other fields statement: SELECT {{array .columnName}} FROM {{ .tableName }} templateParameters: - name: tableName type: string description: table name. escape: double-quotes - name: columnName type: array description: column names. items: name: column type: string description: Name of the column to select escape: double-quotes ``` This example will resolve to following: - * Data provided: `{"tableName": "table_name", "columnName": ["foo", "bar"]}` * Statement with escape: `SELECT "foo", "bar" FROM "table_name"` * Statement without escape: `SELECT foo, bar FROM table_name` Escaping delimiters can be used for identifiers (in template parameters) or string literals. If `allowedValues` were used, Toolbox will check for allowed values before applying delimiters. ### Support value range in numeric parameters Supporting `minValue` and `maxValue` for parameters of type `integer` and `float`. Example: ``` parameters: - name: price type: integer description: price of item minValue: 1 maxValue: 50 ``` If `allowedValues` were used, Toolbox will check for allowed values before checking for min and max values. ### References | parameter name | type | required | description | |------------------|-----|---------|-------------| | allowedValues | []string | true | We will check input value against this. User can either provide a list of allowed values or regex string. | | escape | string | false | Only available for type `string`. Indicate the escaping delimiters used for the parameter. This field is intended to be used with templateParameters. Must be one of "single-quotes", "double-quotes", "backticks", "square-brackets". | | minValue | int or float | false | Only available for type `integer` and `float`. Indicate the minimum value allowed. | | maxValue | int or float | false | Only available for type `integer` and `float`. Indicate the maximum value allowed. | ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change 🛠️ Fixes #779 eaf7740
github-actions Bot
pushed a commit
to renovate-bot/googleapis-_-genai-toolbox
that referenced
this pull request
Oct 23, 2025
…alue` for parameters (googleapis#1770) ## Description To minimize SQL injection risks when using template parameters, it is highly recommended that user utilizes the following added fields for parameters. ### Allow user to indicate allowed values via list or regex Add new `allowedValues` field to all parameter type. It can be used as follows (can be used in the `parameter` field or `templateParameter` field): ``` templateParameters: - name: tableName type: string description: table name. allowedValues: - flights_table - tickets_table - "^h.*" # support any words starting with the letter h ``` ### Support escaping delimiters for identifiers in string parameters Supporting `backticks`, `double-quotes`, `single-quotes`, `square-brackets` as escaping delimiters. Example to apply escaping delimiters: ``` # other fields statement: SELECT {{array .columnName}} FROM {{ .tableName }} templateParameters: - name: tableName type: string description: table name. escape: double-quotes - name: columnName type: array description: column names. items: name: column type: string description: Name of the column to select escape: double-quotes ``` This example will resolve to following: - * Data provided: `{"tableName": "table_name", "columnName": ["foo", "bar"]}` * Statement with escape: `SELECT "foo", "bar" FROM "table_name"` * Statement without escape: `SELECT foo, bar FROM table_name` Escaping delimiters can be used for identifiers (in template parameters) or string literals. If `allowedValues` were used, Toolbox will check for allowed values before applying delimiters. ### Support value range in numeric parameters Supporting `minValue` and `maxValue` for parameters of type `integer` and `float`. Example: ``` parameters: - name: price type: integer description: price of item minValue: 1 maxValue: 50 ``` If `allowedValues` were used, Toolbox will check for allowed values before checking for min and max values. ### References | parameter name | type | required | description | |------------------|-----|---------|-------------| | allowedValues | []string | true | We will check input value against this. User can either provide a list of allowed values or regex string. | | escape | string | false | Only available for type `string`. Indicate the escaping delimiters used for the parameter. This field is intended to be used with templateParameters. Must be one of "single-quotes", "double-quotes", "backticks", "square-brackets". | | minValue | int or float | false | Only available for type `integer` and `float`. Indicate the minimum value allowed. | | maxValue | int or float | false | Only available for type `integer` and `float`. Indicate the maximum value allowed. | ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change 🛠️ Fixes googleapis#779 eaf7740
github-actions Bot
pushed a commit
to renovate-bot/googleapis-_-genai-toolbox
that referenced
this pull request
Oct 23, 2025
…alue` for parameters (googleapis#1770) ## Description To minimize SQL injection risks when using template parameters, it is highly recommended that user utilizes the following added fields for parameters. ### Allow user to indicate allowed values via list or regex Add new `allowedValues` field to all parameter type. It can be used as follows (can be used in the `parameter` field or `templateParameter` field): ``` templateParameters: - name: tableName type: string description: table name. allowedValues: - flights_table - tickets_table - "^h.*" # support any words starting with the letter h ``` ### Support escaping delimiters for identifiers in string parameters Supporting `backticks`, `double-quotes`, `single-quotes`, `square-brackets` as escaping delimiters. Example to apply escaping delimiters: ``` # other fields statement: SELECT {{array .columnName}} FROM {{ .tableName }} templateParameters: - name: tableName type: string description: table name. escape: double-quotes - name: columnName type: array description: column names. items: name: column type: string description: Name of the column to select escape: double-quotes ``` This example will resolve to following: - * Data provided: `{"tableName": "table_name", "columnName": ["foo", "bar"]}` * Statement with escape: `SELECT "foo", "bar" FROM "table_name"` * Statement without escape: `SELECT foo, bar FROM table_name` Escaping delimiters can be used for identifiers (in template parameters) or string literals. If `allowedValues` were used, Toolbox will check for allowed values before applying delimiters. ### Support value range in numeric parameters Supporting `minValue` and `maxValue` for parameters of type `integer` and `float`. Example: ``` parameters: - name: price type: integer description: price of item minValue: 1 maxValue: 50 ``` If `allowedValues` were used, Toolbox will check for allowed values before checking for min and max values. ### References | parameter name | type | required | description | |------------------|-----|---------|-------------| | allowedValues | []string | true | We will check input value against this. User can either provide a list of allowed values or regex string. | | escape | string | false | Only available for type `string`. Indicate the escaping delimiters used for the parameter. This field is intended to be used with templateParameters. Must be one of "single-quotes", "double-quotes", "backticks", "square-brackets". | | minValue | int or float | false | Only available for type `integer` and `float`. Indicate the minimum value allowed. | | maxValue | int or float | false | Only available for type `integer` and `float`. Indicate the maximum value allowed. | ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change 🛠️ Fixes googleapis#779 eaf7740
duwenxin99
added a commit
that referenced
this pull request
Oct 23, 2025
🤖 I have created a release *beep* *boop* --- ## [0.18.0](v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([#1770](#1770)) ([eaf7740](eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([#1673](#1673)) ([089081f](089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([#1707](#1707)) ([eeb694c](eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([#1717](#1717)) ([02f7f8a](02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([#1761](#1761)) ([a06d0d8](a06d0d8)) * **tools/http:** Omit optional nil query parameters ([#1762](#1762)) ([bd16ba3](bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([#1758](#1758)) ([336de1b](336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com>
github-actions Bot
pushed a commit
that referenced
this pull request
Oct 23, 2025
🤖 I have created a release *beep* *boop* --- ## [0.18.0](v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([#1770](#1770)) ([eaf7740](eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([#1673](#1673)) ([089081f](089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([#1707](#1707)) ([eeb694c](eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([#1717](#1717)) ([02f7f8a](02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([#1761](#1761)) ([a06d0d8](a06d0d8)) * **tools/http:** Omit optional nil query parameters ([#1762](#1762)) ([bd16ba3](bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([#1758](#1758)) ([336de1b](336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com> 3ca58b1
github-actions Bot
pushed a commit
that referenced
this pull request
Oct 23, 2025
🤖 I have created a release *beep* *boop* --- ## [0.18.0](v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([#1770](#1770)) ([eaf7740](eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([#1673](#1673)) ([089081f](089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([#1707](#1707)) ([eeb694c](eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([#1717](#1717)) ([02f7f8a](02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([#1761](#1761)) ([a06d0d8](a06d0d8)) * **tools/http:** Omit optional nil query parameters ([#1762](#1762)) ([bd16ba3](bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([#1758](#1758)) ([336de1b](336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com> 3ca58b1
github-actions Bot
pushed a commit
to renovate-bot/googleapis-_-genai-toolbox
that referenced
this pull request
Oct 23, 2025
🤖 I have created a release *beep* *boop* --- ## [0.18.0](googleapis/mcp-toolbox@v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([googleapis#1770](googleapis#1770)) ([eaf7740](googleapis@eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([googleapis#1673](googleapis#1673)) ([089081f](googleapis@089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([googleapis#1707](googleapis#1707)) ([eeb694c](googleapis@eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([googleapis#1717](googleapis#1717)) ([02f7f8a](googleapis@02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([googleapis#1761](googleapis#1761)) ([a06d0d8](googleapis@a06d0d8)) * **tools/http:** Omit optional nil query parameters ([googleapis#1762](googleapis#1762)) ([bd16ba3](googleapis@bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([googleapis#1758](googleapis#1758)) ([336de1b](googleapis@336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com> 3ca58b1
github-actions Bot
pushed a commit
to renovate-bot/googleapis-_-genai-toolbox
that referenced
this pull request
Oct 23, 2025
🤖 I have created a release *beep* *boop* --- ## [0.18.0](googleapis/mcp-toolbox@v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([googleapis#1770](googleapis#1770)) ([eaf7740](googleapis@eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([googleapis#1673](googleapis#1673)) ([089081f](googleapis@089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([googleapis#1707](googleapis#1707)) ([eeb694c](googleapis@eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([googleapis#1717](googleapis#1717)) ([02f7f8a](googleapis@02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([googleapis#1761](googleapis#1761)) ([a06d0d8](googleapis@a06d0d8)) * **tools/http:** Omit optional nil query parameters ([googleapis#1762](googleapis#1762)) ([bd16ba3](googleapis@bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([googleapis#1758](googleapis#1758)) ([336de1b](googleapis@336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com> 3ca58b1
github-actions Bot
pushed a commit
to bhardwajRahul/genai-toolbox
that referenced
this pull request
Oct 24, 2025
🤖 I have created a release *beep* *boop* --- ## [0.18.0](googleapis/mcp-toolbox@v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([googleapis#1770](googleapis#1770)) ([eaf7740](googleapis@eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([googleapis#1673](googleapis#1673)) ([089081f](googleapis@089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([googleapis#1707](googleapis#1707)) ([eeb694c](googleapis@eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([googleapis#1717](googleapis#1717)) ([02f7f8a](googleapis@02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([googleapis#1761](googleapis#1761)) ([a06d0d8](googleapis@a06d0d8)) * **tools/http:** Omit optional nil query parameters ([googleapis#1762](googleapis#1762)) ([bd16ba3](googleapis@bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([googleapis#1758](googleapis#1758)) ([336de1b](googleapis@336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com> 3ca58b1
github-actions Bot
pushed a commit
to bhardwajRahul/genai-toolbox
that referenced
this pull request
Oct 24, 2025
🤖 I have created a release *beep* *boop* --- ## [0.18.0](googleapis/mcp-toolbox@v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([googleapis#1770](googleapis#1770)) ([eaf7740](googleapis@eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([googleapis#1673](googleapis#1673)) ([089081f](googleapis@089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([googleapis#1707](googleapis#1707)) ([eeb694c](googleapis@eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([googleapis#1717](googleapis#1717)) ([02f7f8a](googleapis@02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([googleapis#1761](googleapis#1761)) ([a06d0d8](googleapis@a06d0d8)) * **tools/http:** Omit optional nil query parameters ([googleapis#1762](googleapis#1762)) ([bd16ba3](googleapis@bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([googleapis#1758](googleapis#1758)) ([336de1b](googleapis@336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com> 3ca58b1
twishabansal
pushed a commit
that referenced
this pull request
Oct 27, 2025
…r parameters (#1770) ## Description To minimize SQL injection risks when using template parameters, it is highly recommended that user utilizes the following added fields for parameters. ### Allow user to indicate allowed values via list or regex Add new `allowedValues` field to all parameter type. It can be used as follows (can be used in the `parameter` field or `templateParameter` field): ``` templateParameters: - name: tableName type: string description: table name. allowedValues: - flights_table - tickets_table - "^h.*" # support any words starting with the letter h ``` ### Support escaping delimiters for identifiers in string parameters Supporting `backticks`, `double-quotes`, `single-quotes`, `square-brackets` as escaping delimiters. Example to apply escaping delimiters: ``` # other fields statement: SELECT {{array .columnName}} FROM {{ .tableName }} templateParameters: - name: tableName type: string description: table name. escape: double-quotes - name: columnName type: array description: column names. items: name: column type: string description: Name of the column to select escape: double-quotes ``` This example will resolve to following: - * Data provided: `{"tableName": "table_name", "columnName": ["foo", "bar"]}` * Statement with escape: `SELECT "foo", "bar" FROM "table_name"` * Statement without escape: `SELECT foo, bar FROM table_name` Escaping delimiters can be used for identifiers (in template parameters) or string literals. If `allowedValues` were used, Toolbox will check for allowed values before applying delimiters. ### Support value range in numeric parameters Supporting `minValue` and `maxValue` for parameters of type `integer` and `float`. Example: ``` parameters: - name: price type: integer description: price of item minValue: 1 maxValue: 50 ``` If `allowedValues` were used, Toolbox will check for allowed values before checking for min and max values. ### References | parameter name | type | required | description | |------------------|-----|---------|-------------| | allowedValues | []string | true | We will check input value against this. User can either provide a list of allowed values or regex string. | | escape | string | false | Only available for type `string`. Indicate the escaping delimiters used for the parameter. This field is intended to be used with templateParameters. Must be one of "single-quotes", "double-quotes", "backticks", "square-brackets". | | minValue | int or float | false | Only available for type `integer` and `float`. Indicate the minimum value allowed. | | maxValue | int or float | false | Only available for type `integer` and `float`. Indicate the maximum value allowed. | ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change 🛠️ Fixes #779
twishabansal
pushed a commit
that referenced
this pull request
Oct 27, 2025
🤖 I have created a release *beep* *boop* --- ## [0.18.0](v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([#1770](#1770)) ([eaf7740](eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([#1673](#1673)) ([089081f](089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([#1707](#1707)) ([eeb694c](eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([#1717](#1717)) ([02f7f8a](02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([#1761](#1761)) ([a06d0d8](a06d0d8)) * **tools/http:** Omit optional nil query parameters ([#1762](#1762)) ([bd16ba3](bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([#1758](#1758)) ([336de1b](336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com>
rahulpinto19
pushed a commit
that referenced
this pull request
Oct 27, 2025
…r parameters (#1770) ## Description To minimize SQL injection risks when using template parameters, it is highly recommended that user utilizes the following added fields for parameters. ### Allow user to indicate allowed values via list or regex Add new `allowedValues` field to all parameter type. It can be used as follows (can be used in the `parameter` field or `templateParameter` field): ``` templateParameters: - name: tableName type: string description: table name. allowedValues: - flights_table - tickets_table - "^h.*" # support any words starting with the letter h ``` ### Support escaping delimiters for identifiers in string parameters Supporting `backticks`, `double-quotes`, `single-quotes`, `square-brackets` as escaping delimiters. Example to apply escaping delimiters: ``` # other fields statement: SELECT {{array .columnName}} FROM {{ .tableName }} templateParameters: - name: tableName type: string description: table name. escape: double-quotes - name: columnName type: array description: column names. items: name: column type: string description: Name of the column to select escape: double-quotes ``` This example will resolve to following: - * Data provided: `{"tableName": "table_name", "columnName": ["foo", "bar"]}` * Statement with escape: `SELECT "foo", "bar" FROM "table_name"` * Statement without escape: `SELECT foo, bar FROM table_name` Escaping delimiters can be used for identifiers (in template parameters) or string literals. If `allowedValues` were used, Toolbox will check for allowed values before applying delimiters. ### Support value range in numeric parameters Supporting `minValue` and `maxValue` for parameters of type `integer` and `float`. Example: ``` parameters: - name: price type: integer description: price of item minValue: 1 maxValue: 50 ``` If `allowedValues` were used, Toolbox will check for allowed values before checking for min and max values. ### References | parameter name | type | required | description | |------------------|-----|---------|-------------| | allowedValues | []string | true | We will check input value against this. User can either provide a list of allowed values or regex string. | | escape | string | false | Only available for type `string`. Indicate the escaping delimiters used for the parameter. This field is intended to be used with templateParameters. Must be one of "single-quotes", "double-quotes", "backticks", "square-brackets". | | minValue | int or float | false | Only available for type `integer` and `float`. Indicate the minimum value allowed. | | maxValue | int or float | false | Only available for type `integer` and `float`. Indicate the maximum value allowed. | ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change 🛠️ Fixes #779
rahulpinto19
pushed a commit
that referenced
this pull request
Oct 27, 2025
🤖 I have created a release *beep* *boop* --- ## [0.18.0](v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([#1770](#1770)) ([eaf7740](eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([#1673](#1673)) ([089081f](089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([#1707](#1707)) ([eeb694c](eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([#1717](#1717)) ([02f7f8a](02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([#1761](#1761)) ([a06d0d8](a06d0d8)) * **tools/http:** Omit optional nil query parameters ([#1762](#1762)) ([bd16ba3](bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([#1758](#1758)) ([336de1b](336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com>
rahulpinto19
pushed a commit
that referenced
this pull request
Oct 27, 2025
…r parameters (#1770) ## Description To minimize SQL injection risks when using template parameters, it is highly recommended that user utilizes the following added fields for parameters. ### Allow user to indicate allowed values via list or regex Add new `allowedValues` field to all parameter type. It can be used as follows (can be used in the `parameter` field or `templateParameter` field): ``` templateParameters: - name: tableName type: string description: table name. allowedValues: - flights_table - tickets_table - "^h.*" # support any words starting with the letter h ``` ### Support escaping delimiters for identifiers in string parameters Supporting `backticks`, `double-quotes`, `single-quotes`, `square-brackets` as escaping delimiters. Example to apply escaping delimiters: ``` # other fields statement: SELECT {{array .columnName}} FROM {{ .tableName }} templateParameters: - name: tableName type: string description: table name. escape: double-quotes - name: columnName type: array description: column names. items: name: column type: string description: Name of the column to select escape: double-quotes ``` This example will resolve to following: - * Data provided: `{"tableName": "table_name", "columnName": ["foo", "bar"]}` * Statement with escape: `SELECT "foo", "bar" FROM "table_name"` * Statement without escape: `SELECT foo, bar FROM table_name` Escaping delimiters can be used for identifiers (in template parameters) or string literals. If `allowedValues` were used, Toolbox will check for allowed values before applying delimiters. ### Support value range in numeric parameters Supporting `minValue` and `maxValue` for parameters of type `integer` and `float`. Example: ``` parameters: - name: price type: integer description: price of item minValue: 1 maxValue: 50 ``` If `allowedValues` were used, Toolbox will check for allowed values before checking for min and max values. ### References | parameter name | type | required | description | |------------------|-----|---------|-------------| | allowedValues | []string | true | We will check input value against this. User can either provide a list of allowed values or regex string. | | escape | string | false | Only available for type `string`. Indicate the escaping delimiters used for the parameter. This field is intended to be used with templateParameters. Must be one of "single-quotes", "double-quotes", "backticks", "square-brackets". | | minValue | int or float | false | Only available for type `integer` and `float`. Indicate the minimum value allowed. | | maxValue | int or float | false | Only available for type `integer` and `float`. Indicate the maximum value allowed. | ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change 🛠️ Fixes #779
rahulpinto19
pushed a commit
that referenced
this pull request
Oct 27, 2025
🤖 I have created a release *beep* *boop* --- ## [0.18.0](v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([#1770](#1770)) ([eaf7740](eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([#1673](#1673)) ([089081f](089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([#1707](#1707)) ([eeb694c](eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([#1717](#1717)) ([02f7f8a](02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([#1761](#1761)) ([a06d0d8](a06d0d8)) * **tools/http:** Omit optional nil query parameters ([#1762](#1762)) ([bd16ba3](bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([#1758](#1758)) ([336de1b](336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com>
twishabansal
pushed a commit
that referenced
this pull request
Oct 28, 2025
…r parameters (#1770) ## Description To minimize SQL injection risks when using template parameters, it is highly recommended that user utilizes the following added fields for parameters. ### Allow user to indicate allowed values via list or regex Add new `allowedValues` field to all parameter type. It can be used as follows (can be used in the `parameter` field or `templateParameter` field): ``` templateParameters: - name: tableName type: string description: table name. allowedValues: - flights_table - tickets_table - "^h.*" # support any words starting with the letter h ``` ### Support escaping delimiters for identifiers in string parameters Supporting `backticks`, `double-quotes`, `single-quotes`, `square-brackets` as escaping delimiters. Example to apply escaping delimiters: ``` # other fields statement: SELECT {{array .columnName}} FROM {{ .tableName }} templateParameters: - name: tableName type: string description: table name. escape: double-quotes - name: columnName type: array description: column names. items: name: column type: string description: Name of the column to select escape: double-quotes ``` This example will resolve to following: - * Data provided: `{"tableName": "table_name", "columnName": ["foo", "bar"]}` * Statement with escape: `SELECT "foo", "bar" FROM "table_name"` * Statement without escape: `SELECT foo, bar FROM table_name` Escaping delimiters can be used for identifiers (in template parameters) or string literals. If `allowedValues` were used, Toolbox will check for allowed values before applying delimiters. ### Support value range in numeric parameters Supporting `minValue` and `maxValue` for parameters of type `integer` and `float`. Example: ``` parameters: - name: price type: integer description: price of item minValue: 1 maxValue: 50 ``` If `allowedValues` were used, Toolbox will check for allowed values before checking for min and max values. ### References | parameter name | type | required | description | |------------------|-----|---------|-------------| | allowedValues | []string | true | We will check input value against this. User can either provide a list of allowed values or regex string. | | escape | string | false | Only available for type `string`. Indicate the escaping delimiters used for the parameter. This field is intended to be used with templateParameters. Must be one of "single-quotes", "double-quotes", "backticks", "square-brackets". | | minValue | int or float | false | Only available for type `integer` and `float`. Indicate the minimum value allowed. | | maxValue | int or float | false | Only available for type `integer` and `float`. Indicate the maximum value allowed. | ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change 🛠️ Fixes #779
twishabansal
pushed a commit
that referenced
this pull request
Oct 28, 2025
🤖 I have created a release *beep* *boop* --- ## [0.18.0](v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([#1770](#1770)) ([eaf7740](eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([#1673](#1673)) ([089081f](089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([#1707](#1707)) ([eeb694c](eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([#1717](#1717)) ([02f7f8a](02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([#1761](#1761)) ([a06d0d8](a06d0d8)) * **tools/http:** Omit optional nil query parameters ([#1762](#1762)) ([bd16ba3](bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([#1758](#1758)) ([336de1b](336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com>
srividyareddy786
pushed a commit
to srividyareddy786/genai-toolbox
that referenced
this pull request
Nov 4, 2025
…r parameters (googleapis#1770) ## Description To minimize SQL injection risks when using template parameters, it is highly recommended that user utilizes the following added fields for parameters. ### Allow user to indicate allowed values via list or regex Add new `allowedValues` field to all parameter type. It can be used as follows (can be used in the `parameter` field or `templateParameter` field): ``` templateParameters: - name: tableName type: string description: table name. allowedValues: - flights_table - tickets_table - "^h.*" # support any words starting with the letter h ``` ### Support escaping delimiters for identifiers in string parameters Supporting `backticks`, `double-quotes`, `single-quotes`, `square-brackets` as escaping delimiters. Example to apply escaping delimiters: ``` # other fields statement: SELECT {{array .columnName}} FROM {{ .tableName }} templateParameters: - name: tableName type: string description: table name. escape: double-quotes - name: columnName type: array description: column names. items: name: column type: string description: Name of the column to select escape: double-quotes ``` This example will resolve to following: - * Data provided: `{"tableName": "table_name", "columnName": ["foo", "bar"]}` * Statement with escape: `SELECT "foo", "bar" FROM "table_name"` * Statement without escape: `SELECT foo, bar FROM table_name` Escaping delimiters can be used for identifiers (in template parameters) or string literals. If `allowedValues` were used, Toolbox will check for allowed values before applying delimiters. ### Support value range in numeric parameters Supporting `minValue` and `maxValue` for parameters of type `integer` and `float`. Example: ``` parameters: - name: price type: integer description: price of item minValue: 1 maxValue: 50 ``` If `allowedValues` were used, Toolbox will check for allowed values before checking for min and max values. ### References | parameter name | type | required | description | |------------------|-----|---------|-------------| | allowedValues | []string | true | We will check input value against this. User can either provide a list of allowed values or regex string. | | escape | string | false | Only available for type `string`. Indicate the escaping delimiters used for the parameter. This field is intended to be used with templateParameters. Must be one of "single-quotes", "double-quotes", "backticks", "square-brackets". | | minValue | int or float | false | Only available for type `integer` and `float`. Indicate the minimum value allowed. | | maxValue | int or float | false | Only available for type `integer` and `float`. Indicate the maximum value allowed. | ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change 🛠️ Fixes googleapis#779
srividyareddy786
pushed a commit
to srividyareddy786/genai-toolbox
that referenced
this pull request
Nov 4, 2025
🤖 I have created a release *beep* *boop* --- ## [0.18.0](googleapis/mcp-toolbox@v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([googleapis#1770](googleapis#1770)) ([eaf7740](googleapis@eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([googleapis#1673](googleapis#1673)) ([089081f](googleapis@089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([googleapis#1707](googleapis#1707)) ([eeb694c](googleapis@eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([googleapis#1717](googleapis#1717)) ([02f7f8a](googleapis@02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([googleapis#1761](googleapis#1761)) ([a06d0d8](googleapis@a06d0d8)) * **tools/http:** Omit optional nil query parameters ([googleapis#1762](googleapis#1762)) ([bd16ba3](googleapis@bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([googleapis#1758](googleapis#1758)) ([336de1b](googleapis@336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com>
NightStack15
added a commit
to NightStack15/googleapis-_-genai-toolbox
that referenced
this pull request
Mar 20, 2026
🤖 I have created a release *beep* *boop* --- ## [0.18.0](googleapis/mcp-toolbox@v0.17.0...v0.18.0) (2025-10-23) ### Features * Support `allowedValues`, `escape`, `minValue` and `maxValue` for parameters ([#1770](googleapis/mcp-toolbox#1770)) ([eaf7740](googleapis/mcp-toolbox@eaf7740)) * **tools/looker:** Tools to allow the agent to retrieve, create, modify, and delete LookML project files. ([#1673](googleapis/mcp-toolbox#1673)) ([089081f](googleapis/mcp-toolbox@089081f)) ### Bug Fixes * **sources/mysql:** Escape mysql user agent ([#1707](googleapis/mcp-toolbox#1707)) ([eeb694c](googleapis/mcp-toolbox@eeb694c)) * **sources/mysql:** Escape program_name for MySQL ([#1717](googleapis/mcp-toolbox#1717)) ([02f7f8a](googleapis/mcp-toolbox@02f7f8a)) * **tools/http:** Allow 2xx status code on tool invocation ([#1761](googleapis/mcp-toolbox#1761)) ([a06d0d8](googleapis/mcp-toolbox@a06d0d8)) * **tools/http:** Omit optional nil query parameters ([#1762](googleapis/mcp-toolbox#1762)) ([bd16ba3](googleapis/mcp-toolbox@bd16ba3)) * **tools/looker:** Looker file content calls should not use url.QueryEscape ([#1758](googleapis/mcp-toolbox#1758)) ([336de1b](googleapis/mcp-toolbox@336de1b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
To minimize SQL injection risks when using template parameters, it is highly recommended that user utilizes the following added fields for parameters.
Allow user to indicate allowed values via list or regex
Add new
allowedValuesfield to all parameter type. It can be used as follows (can be used in theparameterfield ortemplateParameterfield):Support escaping delimiters for identifiers in string parameters
Supporting
backticks,double-quotes,single-quotes,square-bracketsas escaping delimiters. Example to apply escaping delimiters:This example will resolve to following: -
{"tableName": "table_name", "columnName": ["foo", "bar"]}SELECT "foo", "bar" FROM "table_name"SELECT foo, bar FROM table_nameEscaping delimiters can be used for identifiers (in template parameters) or string literals. If
allowedValueswere used, Toolbox will check for allowed values before applying delimiters.Support value range in numeric parameters
Supporting
minValueandmaxValuefor parameters of typeintegerandfloat. Example:If
allowedValueswere used, Toolbox will check for allowed values before checking for min and max values.References
string. Indicate the escaping delimiters used for the parameter. This field is intended to be used with templateParameters. Must be one of "single-quotes", "double-quotes", "backticks", "square-brackets".integerandfloat. Indicate the minimum value allowed.integerandfloat. Indicate the maximum value allowed.PR Checklist
CONTRIBUTING.md
bug/issue
before writing your code! That way we can discuss the change, evaluate
designs, and agree on the general idea
!if this involve a breaking change🛠️ Fixes #779