IssueWhen you work with a Tableau workbook that gets data from a SQL-based data source or from an Rserve server, you can create calculations with expressions that are sent directly to the data source, known as pass-through expressions. These types of expressions are described in the following Tableau Desktop documentation:
The pass-through functions are those with names that begin with
Under certain circumstances, pass-through expressions could be vectors for SQL injection attacks—that is, an attacker might be able to include malicious commands in them as values. This can happen when the workbook contains a calculation that meets all of these criteria:
The calculation includes a
The expression uses a value that is passed to the calculation from a parameter in the workbook.
The parameter is typed as a string.
The parameter is the first parameter passed to the calculation.
The parameter is not enclosed in quotation marks.
For example, in the following expression,
Parameter 1 might be intended to contain a string value, like small, medium, or large.
However, if a user can set the value of
Parameter 1 to arbitrary text, that user could potentially create a SQL injection attack.
Because an expression like this could potentially include malicious commands, it is referred to as an Non-secure script.
Note the last criterion—that non-secure scripts include parameters do not have quotation marks. Note the following example:
RAWSQL_BOOL("%1", [Parameter 1])
This example does not constitute an non-secure script, because the value of
Parameter 1 is included in quotation marks, so SQL does not treat the value as a command.