Skip to content

security

pinky_core.security

Input validation and sanitization utilities.

No external dependencies — importable without a Snowflake connection. Safe to use in SP/UDF handlers, Streamlit apps, and local scripts.

safe_filepath(filepath)

Validate and sanitize a file path for use in a Snowflake REMOVE statement.

Rejects paths containing special characters or .. segments, and escapes single quotes to prevent SQL injection in dynamically built DDL.

Parameters:

Name Type Description Default
filepath str

Relative path to validate (e.g. "folder/file.csv").

 required

Returns:

Type Description
str

Sanitized path with single quotes doubled.

Raises:

Type Description
ValueError

If the path contains disallowed characters or ...
Source code in src/pinky_core/security.py 
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
def safe_filepath(filepath: str) -> str:
    """Validate and sanitize a file path for use in a Snowflake REMOVE statement.

    Rejects paths containing special characters or ``..`` segments, and escapes
    single quotes to prevent SQL injection in dynamically built DDL.

    Args:
        filepath: Relative path to validate (e.g. ``"folder/file.csv"``).

    Returns:
        Sanitized path with single quotes doubled.

    Raises:
        ValueError: If the path contains disallowed characters or ``..``.
    """
    if not re.match(r"^[a-zA-Z0-9_/\-\. \(\)]+$", filepath) or ".." in filepath:
        raise ValueError(f"Invalid filepath: {filepath!r}")
    return filepath

validate_identifier(name)

Validate that a string is a safe Snowflake SQL identifier.

Allows letters, digits and underscores only. Raises on anything else to guard against SQL injection in dynamically built DDL statements.

Parameters:

Name Type Description Default
name str

Identifier to validate (e.g. a column or object name).

 required

Returns:

Type Description
str

The unchanged name if valid.

Raises:

Type Description
ValueError

If the name contains disallowed characters.
Source code in src/pinky_core/security.py 
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
def validate_identifier(name: str) -> str:
    """Validate that a string is a safe Snowflake SQL identifier.

    Allows letters, digits and underscores only. Raises on anything else to
    guard against SQL injection in dynamically built DDL statements.

    Args:
        name: Identifier to validate (e.g. a column or object name).

    Returns:
        The unchanged name if valid.

    Raises:
        ValueError: If the name contains disallowed characters.
    """
    if not re.match(r"^[A-Za-z_][A-Za-z0-9_]*$", name):
        raise ValueError(f"Invalid identifier: {name!r}")
    return name