Skip to content

Tags: sqlpage/SQLPage

Tags

v0.44.1

Toggle v0.44.1's commit message

Verified

This tag was signed with the committer’s verified signature.
lovasoa Ophir LOJKINE
security update

An AI-assisted security audit found three vulnerabilities: one authentication bypass that is high severity for affected OIDC deployments, and two lower-severity issues. It also led to three hardening changes. Upgrade now if you use custom OIDC protected paths.

Security fixes:

- **High severity for affected OIDC deployments: protected path bypass.** Affected: sites using OIDC with custom `oidc_protected_paths`, such as `["/admin"]`, to protect only part of the site. Not affected: sites not using OIDC, or using the default `oidc_protected_paths = ["/"]` to protect the whole site. Impact: an unauthenticated attacker could use percent-encoded URLs to access pages that should require login. The fix checks decoded request paths against decoded `oidc_protected_paths` and `oidc_public_paths`.
- **Medium severity: private SQL files could be served after privileged `run_sql` includes.** Affected: apps that call `sqlpage.run_sql(...)` on private paths such as `sqlpage/`, dotfiles, absolute paths, or `../` paths. Impact: an attacker who knew the path could request the cached file directly and run it as a public page for a few milliseconds.
- **Low severity: debug error messages displayed in production** Affected: `environment = "production"` and pages that can error while serving JSON, NDJSON, SSE, or CSV contents. Impact: an attacker could gather private information about your database schema through error messages.

Additional hardening:

- Safely quote `csv` and `download` `filename` values in `Content-Disposition`, preventing download filename corruption.
- Reject unsafe OIDC redirect targets containing backslashes or control characters, affecting user-controlled login return targets and `sqlpage.oidc_logout_url`.
- Bind `sqlpage.oidc_logout_url` links to the current session, preventing forced logout of another browser.

Verified

This tag was signed with the committer’s verified signature.
lovasoa Ophir LOJKINE

v0.43.0

Toggle v0.43.0's commit message

Verified

This tag was signed with the committer’s verified signature.
lovasoa Ophir LOJKINE
- OIDC protected and public paths now respect the site prefix when it…

… is defined.

- Fix: OIDC provider metadata refreshes now always happen in the background, and with a timeout. Previously, a slow OIDC provider could prevent SQLPage from handling requests for an arbitrary amount of time.
- Fix: forms without submit or reset buttons no longer keep extra bottom spacing.
- add submit and reset form button icons: validate_icon, reset_icon, reset_color
- improve error messages when sqlpage functions are used incorrectly. Include precise file reference and line number
- updated sql parser: https://github.com/apache/datafusion-sqlparser-rs/blob/main/changelog/0.61.0.md

v0.42.0

Toggle v0.42.0's commit message
- **New Function**: `sqlpage.web_root()` - Returns the web root direc…

…tory where SQLPage serves `.sql` files from. This is more reliable than `sqlpage.current_working_directory()` when you need to reference the location of your SQL files, especially when the `--web-root` argument or `WEB_ROOT` environment variable is used.

- **New Function**: `sqlpage.configuration_directory()` - Returns the configuration directory where SQLPage looks for `sqlpage.json`, templates, and migrations. Useful when you need to reference configuration-related files in your SQL code.
- fix: The default welcome page (`index.sql`) now correctly displays the web root and configuration directory paths instead of showing the current working directory.
- fix: `sqlpage.variables()` now does not return json objects with duplicate keys when post, get and set variables of the same name are present. The semantics of the returned values remains the same (precedence: set > post > get).
- add support for some duckdb-specific (like `select {'a': 1, 'b': 2}`), and oracle-specific syntax dynamically when connected through odbc.
- better oidc support. Single-sign-on now works with sites:
  - using a non-default `site_prefix`
  - hosted behind an ssl-terminating reverse proxy
- New docker image variant: `lovasoa/sqlpage:latest-duckdb`, `lovasoa/sqlpage:main-duckdb` with preconfigured duckdb odbc drivers.
- New config option: `cache_stale_duration_ms` to control the duration for which cached sql files are considered fresh.

v0.41.0

Toggle v0.41.0's commit message
 - **New Function**: `sqlpage.oidc_logout_url(redirect_uri)` - Genera…

…tes a secure logout URL for OIDC-authenticated users with support for [RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout)

 - Fix compatibility with Auth0 for OpenID-Connect authentification. See ramosbugs/openidconnect-rs#23
 - updated sql parser: https://github.com/apache/datafusion-sqlparser-rs/blob/main/changelog/0.60.0.md
 - updated apexcharts to 5.3.6:
   - apexcharts/apexcharts.js@v5.3.0...v5.3.6
   - https://github.com/apexcharts/apexcharts.js/releases/tag/v5.3.6
 - re-add the `lime` color option to charts
 - update default chart color palette; use [Open Colors](https://yeun.github.io/open-color/)
   - <img width="2077" height="978" alt="image" src="https://github.com/user-attachments/assets/839bd318-c4cd-419c-8f04-a583399e0512" />
 - re-enable text drop shadow in chart data labels

v0.40.0

Toggle v0.40.0's commit message
performance improvements, bug fixes, backwards incompatible variable

handling changes

- OIDC login redirects now use HTTP 303 responses so POST submissions are converted to safe GET requests before reaching the identity provider, fixing incorrect reuse of the original POST (HTTP 307) that could break standard auth flows.
 - SQLPage now respects [HTTP accept headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept) for JSON. You can now easily process the contents of any existing sql page programmatically with:
    - `curl -H "Accept: application/json" http://example.com/page.sql`: returns a json array
    - `curl -H "Accept: application/x-ndjson" http://example.com/page.sql`: returns one json object per line.
 - Fixed a bug in `sqlpage.link`: a link with no path (link to the current page) and no url parameter now works as expected. It used to keep the existing url parameters instead of removing them. `sqlpage.link('', '{}')` now returns `'?'` instead of the empty string.
 - `sqlpage.fetch(null)` and `sqlpage.fetch_with_meta(null)` now return `null` instead of throwing an error.
 - **New Function**: `sqlpage.set_variable(name, value)`
   - Returns a URL with the specified variable set to the given value, preserving other existing variables.
   - This is a shorthand for `sqlpage.link(sqlpage.path(), json_patch(sqlpage.variables('get'), json_object(name, value)))`.
 - **Variable System Improvements**: URL and POST parameters are now immutable, preventing accidental modification. User-defined variables created with `SET` remain mutable.
   - **BREAKING**: `$variable` no longer accesses POST parameters. Use `:variable` instead.
     - **What changed**: Previously, `$x` would return a POST parameter value if no GET parameter named `x` existed.
     - **Fix**: Replace `$x` with `:x` when you need to access form field values.
     - **Example**: Change `SELECT $username` to `SELECT :username` when reading form submissions.
   - **BREAKING**: `SET $name` no longer makes GET (URL) parameters inaccessible when a URL parameter with the same name exists.
     - **What changed**: `SET $name = 'value'` would previously overwrite the URL parameter `$name`. Now it creates an independent SET variable that shadows the URL parameter.
     - **Fix**: This is generally the desired behavior. If you need to access the original URL parameter after setting a variable with the same name, extract it from the JSON returned by `sqlpage.variables('get')`.
     - **Example**: If your URL is `page.sql?name=john`, and you do `SET $name = 'modified'`, then:
       - `$name` will be `'modified'` (the SET variable)
       - The original URL parameter is still preserved and accessible:
         - `sqlpage.variables('get')->>'name'` returns `'john'`
   - **New behavior**: Variable lookup now follows this precedence:
     - `$variable` checks SET variables first, then URL parameters
     - SET variables always shadow URL/POST parameters with the same name
   - **New sqlpage.variables() filters**:
     - `sqlpage.variables('get')` returns only URL parameters as JSON
     - `sqlpage.variables('post')` returns only POST parameters as JSON
     - `sqlpage.variables('set')` returns only user-defined SET variables as JSON
     - `sqlpage.variables()` returns all variables merged together, with SET variables taking precedence
   - **Deprecation warnings**: Using `$var` when both a URL parameter and POST parameter exist with the same name now shows a warning. In a future version, you'll need to explicitly choose between `$var` (URL) and `:var` (POST).
 - Improved performance of `sqlpage.run_sql`.
   - On a simple test that just runs 4 run_sql calls, the new version is about 2.7x faster (15,708 req/s vs 5,782 req/s) with lower latency (0.637 ms vs 1.730 ms per request).
 - add support for postgres range types

v0.39.1

Toggle v0.39.1's commit message
v0.39.1 (2025-11-08)

 - More precise server timing tracking to debug performance issues
 - Fix missing server timing header in some cases
 - Implement nice error messages for some header-related errors such as invalid header values.
 - `compress_responses` is now set to `false` by default in the configuration.
  - When response compression is enabled, additional buffering is needed. Users reported a better experience with pages that load more progressively, reducing the time before the pages' shell is rendered.
  - When SQLPage is deployed behind a reverse proxy, compressing responses between sqlpage and the proxy is wasteful.
 - In the table component, allow simple objects in custom_actions instead of requiring arrays of objects.
 - Fatser icon loading. Previously, even a page containing a single icon required downloading and parsing a ~2MB file. This resulted in a delay where pages initially appeared with a blank space before icons appeared. Icons are now inlined inside pages and appear instantaneously.
 - Updated tabler icons to 3.35
 - Fix inaccurate ODBC warnings
 - Added support for Microsoft SQL Server named instances: `mssql://user:pass@localhost/db?instance_name=xxx`
 - Added a detailed [performance guide](https://sql-page.com/blog?post=Performance+Guide) to the docs.

v0.39.0

Toggle v0.39.0's commit message
improved errors, table action URLs, Server-Timing, ODBC fixes, new lo…

…gin component.

 - Ability to execute sql for URL paths with another extension. If you create sitemap.xml.sql, it will be executed for example.com/sitemap.xml
 - Display source line info in errors even when the database does not return a precise error position. In this case, the entire problematic SQL statement is referenced.
 - The shell with a vertical sidebar can now have "active" elements, just like the horizontal header bar.
 - New `edit_url`, `delete_url`, and `custom_actions` properties in the [table](https://sql-page.com/component.sql?component=table) component to easily add nice icon buttons to a table.
 - SQLPage now sets the [`Server-Timing` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Server-Timing) in development. So when you have a page that loads slowly, you can open your browser's network inspector, click on the slow request, then open the timing tab to understand where it's spending its time.
   - <img width="1250" height="1263" alt="image" src="https://github.com/user-attachments/assets/6781a31f-e342-4e8c-8506-bc47049ce313" />
 - Fixed a memory corruption issue in the builtin odbc driver manager
 - ODBC: fix using globally installed system drivers by their name in debian-based linux distributions.
 - New [login](https://sql-page.com/component.sql?component=table) component.

v0.38.0

Toggle v0.38.0's commit message
Now SQLPage can connect to ANY relational database

 - Added support for the Open Database Connectivity (ODBC) standard.
   - This makes SQLPage compatible with many new databases, including:
    - [*ClickHouse*](https://github.com/ClickHouse/clickhouse-odbc),
    - [*MongoDB*](https://www.mongodb.com/docs/atlas/data-federation/query/sql/drivers/odbc/connect),
    - [*DuckDB*](https://duckdb.org/docs/stable/clients/odbc/overview.html), and through it [many other data sources](https://duckdb.org/docs/stable/data/data_sources),
    - [*Oracle*](https://www.oracle.com/database/technologies/releasenote-odbc-ic.html),
    - [*Snowflake*](https://docs.snowflake.com/en/developer-guide/odbc/odbc),
    - [*BigQuery*](https://cloud.google.com/bigquery/docs/reference/odbc-jdbc-drivers),
    - [*IBM DB2*](https://www.ibm.com/support/pages/db2-odbc-cli-driver-download-and-installation-information),
    - [*Trino*](https://docs.starburst.io/clients/odbc/odbc-v2.html), and through it [many other data sources](https://trino.io/docs/current/connector.html)
 - Added a new `sqlpage.hmac()` function for cryptographic HMAC (Hash-based Message Authentication Code) operations.
   - Create and verify secure signatures for webhooks (Shopify, Stripe, GitHub, etc.)
   - Generate tamper-proof tokens for API authentication
   - Secure download links and temporary access codes
   - Supports SHA-256 (default) and SHA-512 algorithms
   - Output formats: hexadecimal (default) or base64 (e.g., `sha256-base64`)
   - See the [function documentation](https://sql-page.com/functions.sql?function=hmac) for detailed examples
 - Fixed a slight spacing issue in the list components empty value display.
 - Improved performance of setting a variable to a literal value. `SET x = 'hello'` is now executed locally by SQLPage and does not send anything to the database. This completely removes the cost of extracting static values into variables for cleaner SQL files.
 - Enable arbitrary precision in the internal representation of numbers. This guarantees zero precision loss when the database returns very large or very small DECIMAL or NUMERIC values.

v0.38.0-beta.1

Toggle v0.38.0-beta.1's commit message
Adds support for many new database systems through ODBC. This is a be…

…ta version, please report any bug you may find.