Fix SQL injection vulnerability in UC function execution

[harupy]

🛠 DevTools 🛠

Install mlflow from this PR

# mlflow
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/19381/merge
# mlflow-skinny
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/19381/merge#subdirectory=libs/skinny

For Databricks, use the following command:

%sh curl -LsSf https://raw.githubusercontent.com/mlflow/mlflow/HEAD/dev/install-skinny.sh | sh -s pull/19381/merge

Related Issues/PRs

Resolve #19365

What changes are proposed in this pull request?

Add _quote_identifier() function to properly quote Unity Catalog identifiers with backticks before SQL interpolation. This prevents SQL injection attacks via maliciously crafted function names.

The function:

• Splits multi-part identifiers (e.g., catalog.schema.function) and quotes each part with backticks
• Strips existing backticks before re-quoting
• Rejects identifiers with embedded backticks (which are not valid in UC)

How is this PR tested?

• New unit tests

Does this PR require documentation update?

• No. You can skip the rest of this section.

Release Notes

Is this a user-facing change?

• Yes. Give a description of this change to be included in the release notes for MLflow users.

Fixed a SQL injection vulnerability in Unity Catalog function execution where maliciously crafted function names could execute arbitrary SQL.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations

How should the PR be classified in the release notes? Choose one:

• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes

Should this PR be included in the next patch release?

• Yes (this PR will be cherry-picked and included in the next patch release)

---

🤖 Generated with Claude Code

[github-actions]

Documentation preview for fd49858 is available at:

• https://pr-19381--mlflow-docs-preview.netlify.app/docs/latest/

More info

• Ignore this comment if this PR does not change the documentation.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by this workflow run.
• The documentation was built by this workflow run.

[Copilot]

Pull request overview

This PR addresses a critical SQL injection vulnerability in Unity Catalog function execution by introducing proper escaping of function names before SQL interpolation. The fix adds a new escape_uc_identifier() function that validates and escapes catalog.schema.function identifiers with backticks, preventing malicious function names from executing arbitrary SQL.

Key changes:

• Introduces escape_uc_identifier() function to validate and escape 3-part Unity Catalog identifiers
• Updates get_execute_function_sql_stmt() to escape function names before SQL interpolation
• Implements backtick escaping with double-backtick escape sequences for embedded backticks

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[harupy]

IMO, https://mlflow.org/docs/latest/genai/governance/unity-catalog/ no longer makes sense. We can just use MCP now.

[serena-ruan]

Actually is this a real vulnerability? get_execute_function_sql_stmt accepts FunctionInfo.full_name, it should already be a valid function name. Users shouldn't be able to pass function name directly

[harupy]

@serena-ruan Even if the attack is not valid, the fix still makes sense. The current code seems vulnerable to SQL injection.

[serena-ruan]

It's possible it includes backticks?

[serena-ruan]

@serena-ruan Even if the attack is not valid, the fix still makes sense. The current code seems vulnerable to SQL injection.

It's true, but SQL injection shouldn't happen in function name part but the parameters part? BTW UC function execution should handle any potential security issues

[B-Step62]

LGTM

[serena-ruan]

LGTM!