NoExecute

NoExecute is a custom policy check that prevents the use of EXEC or EXECUTE statements.

regex: (?i:exec\s|execute\s)\s*

This example utilizes SQL Server. You can use this check as it is or customize it further to fit your needs in your SQL database. All Regex Custom Policy Checks can only run against the changelog, not against the database.

Scope Database
changelog SQL Server
  • Install Liquibase 4.29.0+
  • Configure a valid Liquibase Pro license key
  • Ensure the Liquibase Checks extension is installed. In Liquibase 4.31.0+, it is already installed in the /liquibase/internal/lib directory, so no action is needed. If the checks JAR is not installed, download liquibase-checks-<version>.jar and put it in the liquibase/lib directory.
    • Maven users only: Add this dependency to your pom.xml file:
    • <dependency>
    <groupId>org.liquibase.ext</groupId>
    <artifactId>liquibase-checks</artifactId>
    <version>2.0.0</version>
</dependency>
  • Java Development Kit 17+ (available for Open JDK and Oracle JDK)
  • Linux, macOS, or Windows operating system
  • Familiarity with Liquibase concepts: Changelog, Changeset, Policy Checks Commands, checks-scope, and snapshot

Before creating a custom policy check with Python, we recommend being familiar with:

  • Python 3.10.14+. (See here for the official Python tutorial)
  • Optional: General coding and Python best practices which will improve your check performance:
    • Efficient handling of structured data objects
    • Effective and targeted parsing of text, objects, and SQL
    • Using regular expressions and other pattern-matching tools within Python
    • Using Python virtual environments. Liquibase comes with a built-in virtual environment for Liquibase Custom Policy Checks. The built-in environment includes Liquibase Python modules and some common external Python modules—no configuration needed. However, if you want to install additional modules, or if you want your IDE to recognize the Liquibase modules, you must Create a Python Virtual Environment separately.

Tip: Downloading Python itself is not required to create custom checks in the Liquibase checks framework, but it may be useful to test checks against Python 3.10.14+.

Step-by-Step

Note: These steps describe how to create the custom policy check. It does not exist by default in Liquibase Pro.

  1. Enter this command into the CLI: 
    liquibase checks customize --check-name=SqlUserDefinedPatternCheck
  2. Give your check a short name for easier identification. In this example we will title the check:
    NoExecute

  3. Set the Severity to return a code of 0-4 when triggered.
    Options: 'INFO'=0, 'MINOR'=1, 'MAJOR'=2, 'CRITICAL'=3, 'BLOCKER'=4

  4. Set the SEARCH_STRING to this valid regular expression:
    (?i:exec\s|execute\s)\s*

  5. Set the MESSAGE for when a match for regular expression <SEARCH_STRING> is found in a Changeset:

    Example: Error! EXEC or EXECUTE detected.

  6. Set STRIP_COMMENTS to true if you want to remove the comments from the output.

    The regex custom policy check is created successfully.

Sample Failing Scripts

Copy 
--changeset amalik:execute_immediate
DECLARE
   sql_stmt    VARCHAR2(200);
   plsql_block VARCHAR2(500);
   emp_id      NUMBER(4) := 7566;
   salary      NUMBER(7,2);
   dept_id     NUMBER(2) := 50;
   dept_name   VARCHAR2(14) := 'PERSONNEL';
   location    VARCHAR2(13) := 'DALLAS';
   emp_rec     emp%ROWTYPE;
BEGIN
   EXECUTE IMMEDIATE 'CREATE TABLE bonus (id NUMBER, amt NUMBER)';
   sql_stmt := 'INSERT INTO dept VALUES (:1, :2, :3)';
   EXECUTE IMMEDIATE sql_stmt USING dept_id, dept_name, location;
   sql_stmt := 'SELECT * FROM emp WHERE empno = :id';
   EXECUTE IMMEDIATE sql_stmt INTO emp_rec USING emp_id;
   plsql_block := 'BEGIN emp_pkg.raise_salary(:id, :amt); END;';
   EXECUTE IMMEDIATE plsql_block USING 7788, 500;
   sql_stmt := 'UPDATE emp SET sal = 2000 WHERE empno = :1
      RETURNING sal INTO :2';
   EXECUTE IMMEDIATE sql_stmt USING emp_id RETURNING INTO salary;
   EXECUTE IMMEDIATE 'DELETE FROM dept WHERE deptno = :num'
      USING dept_id;
   EXECUTE IMMEDIATE 'ALTER SESSION SET SQL_TRACE TRUE';
END;

Sample Error Message

Copy 
CHANGELOG CHECKS
----------------
Checks completed validation of the changelog and found the following issues:

Check Name:         Check for specific patterns in sql (NoExecute)
Changeset ID:       execute_immediate
Changeset Filepath: changeLogs/2_objects/02_storedprocedure/execute_immediate.sql
Check Severity:     INFO (Return code: 4)
Message:            Error! EXEC or EXECUTE detected.