Last Modified Date: 16 Aug 2016
When you work with a workbook that gets data from a SQL-based data source or from an Rserve server, you can create calculations with expressions that are sent directly to the data source, known as pass-through expressions. These types of expressions are described in the following Tableau Desktop documentation:
The pass-through functions are those with names that begin with
Under certain circumstances, pass-through expressions could be vectors for SQL injection attacks—that is, an attacker might be able to include malicious commands in them as values. This can happen when the workbook contains a calculation that meets all of these criteria:
The calculation includes a
The expression uses a value that is passed to the calculation from a parameter in the workbook.
The parameter is typed as a string.
The parameter is the first parameter passed to the calculation.
The parameter is not enclosed in quotation marks.
For example, in the following expression,
Parameter 1 might be intended
to contain a string value, like small, medium, or large.
However, if a user can set the value of
Parameter 1 to arbitrary text, that user could potentially create a SQL injection attack.
Because an expression like this could potentially include malicious commands, it is referred to as an insecure script.
Note the last criterion—that insecure scripts include parameters do not have quotation marks. Consider the following example:
RAWSQL_BOOL("%1", [Parameter 1]
This example does not constitute an insecure script, because the value of
Parameter 1 is included in quotation marks, so SQL does not treat the value as a command.
Allowing insecure scripts when publishing to Tableau Server
By default, users are not allowed to publish a workbook to Tableau Server that contains an insecure script—that is, a workbook that contains a calculation that meets all of the criteria described earlier. When users attempt to publish the workbook, they see the following response from the server:
This worksheet contains custom user scripts or SQL with injectable string parameters, which may be vulnerable on the target platform.
You can allow users to publish workbooks that contain insecure scripts by using the following tabadmin set command:
tabadmin set vizqlserver.allow_insecure_scripts true
Notes about enabling or disabling insecure scripts on Tableau Server
vizqlserver.allow_insecure_scripts setting is designed for scenarios where a user might try to use a parameter value to send unauthorized SQL or Rserve commands. To help secure Tableau Server installations, the default setting is
false, so that users cannot publish workbooks with insecure scripts. Consider the following points about the
If your users never create custom SQL or R expressions, you can make sure that
vizqlserver.allow_insecure_scriptsis set to
falsewithout affecting the ability of your users to publish workbooks.
If your users create calculations that include custom SQL or R expressions, but you do not believe that other users might try to pass commands to the data source, you can enable publishing of insecure scripts (that is, set
vizqlserver.allow_insecure_scriptssetting applies to a Tableau Server installation as a whole. If this setting is
false, publishing workbooks that contain insecure scripts is blocked for all sites and projects on the server.
Tableau Public and Tableau Online do not allow calculations that include expressions with functions beginning with
SCRIPT_. Therefore, the
vizqlserver.allow_insecure_scriptsdefault value of
falsedoes not affect those products.