Issue
When you work with a Tableau workbook that gets data from a SQL-based data source or from an Rserve server, you can create calculations with expressions that are sent directly to the data source, known as pass-through expressions. These types of expressions are described in the following Tableau Desktop documentation:The pass-through functions are those with names that begin with RAWSQL_
or SCRIPT_
.
Under certain circumstances, pass-through expressions could be vectors for SQL injection attacks—that is, an attacker might be able to include malicious commands in them as values. This can happen when the workbook contains a calculation that meets all of these criteria:
-
The calculation includes a
SCRIPT_
orRAWSQL_
function. -
The expression uses a value that is passed to the calculation from a parameter in the workbook.
-
The parameter is typed as a string.
-
The parameter is the first parameter passed to the calculation.
-
The parameter is not enclosed in quotation marks.
For example, in the following expression, Parameter 1
might be intended to contain a string value, like small, medium, or large.
RAWSQL_STR([Parameter 1])
However, if a user can set the value of Parameter 1
to arbitrary text, that user could potentially create a SQL injection attack.
Because an expression like this could potentially include malicious commands, it is referred to as an insecure script.
Note the last criterion—that insecure scripts include parameters do not have quotation marks. Consider the following example:
RAWSQL_BOOL("%1", [Parameter 1])
This example does not constitute an insecure script, because the value of Parameter 1
is included in quotation marks, so SQL does not treat the value as a command.