Issue
When you work with a Tableau workbook that gets data from a SQL-based data source or from an Rserve server, you can create calculations with expressions that are sent directly to the data source, known as pass-through expressions. These types of expressions are described in the following Tableau Desktop documentation:The pass-through functions are those with names that begin with RAWSQL_
or SCRIPT_
.
Under certain circumstances, pass-through expressions could be vectors for SQL injection attacks—that is, an attacker might be able to include malicious commands in them as values. This can happen when the workbook contains a calculation that meets all of these criteria:
-
The calculation includes a
SCRIPT_
orRAWSQL_
function. -
The expression uses a value that is passed to the calculation from a parameter in the workbook.
-
The parameter is typed as a string.
-
The parameter is the first parameter passed to the calculation.
-
The parameter is not enclosed in quotation marks.
For example, in the following expression, Parameter 1
might be intended to contain a string value, like small, medium, or large.
RAWSQL_STR([Parameter 1])
However, if a user can set the value of Parameter 1
to arbitrary text, that user could potentially create a SQL injection attack.
Because an expression like this could potentially include malicious commands, it is referred to as an Non-secure script.
Note the last criterion—that non-secure scripts include parameters do not have quotation marks. Note the following example:
RAWSQL_BOOL("%1", [Parameter 1])
This example does not constitute an non-secure script, because the value of Parameter 1
is included in quotation marks, so SQL does not treat the value as a command.