Fix CodeQL ReDoS: replace vulnerable write regex with comment-stripping approach

CodeQL found exponential backtracking in _SQL_WRITE_RE which used
nested quantifiers for SQL comment matching: (?:/\*.*?\*/\s*|...)*

Fix: separate comment stripping (_SQL_COMMENT_RE) from write detection.
1. Strip SQL comments with a safe non-backtracking regex
2. Check for write keywords with the simple anchored regex

The comment regex uses [^*]*\*+(?:[^/*][^*]*\*+)*/ which is the
standard safe pattern for matching C-style block comments.

3 new tests for comment-prefixed write detection.
774 unit tests passing.

Author: Saurabh Badenkal

src/PowerPlatform/Dataverse/data/_odata.py

@@ -839,9 +839,10 @@ def _do_request(url: str, *, params: Optional[Dict[str, Any]] = None) -> Dict[st
 
     # ----------------------- SQL guardrail patterns --------------------
     _SQL_WRITE_RE = re.compile(
-        r"^\s*(?:/\*.*?\*/\s*|--[^\n]*\n\s*)*(?:INSERT|UPDATE|DELETE|DROP|TRUNCATE|ALTER|CREATE|EXEC|GRANT|REVOKE|BULK)\b",
-        re.IGNORECASE | re.DOTALL,
+        r"^\s*(?:INSERT|UPDATE|DELETE|DROP|TRUNCATE|ALTER|CREATE|EXEC|GRANT|REVOKE|BULK)\b",
+        re.IGNORECASE,
     )
+    _SQL_COMMENT_RE = re.compile(r"/\*[^*]*\*+(?:[^/*][^*]*\*+)*/|--[^\n]*", re.DOTALL)
     _SQL_LEADING_WILDCARD_RE = re.compile(r"\bLIKE\s+'%[^']", re.IGNORECASE)
     _SQL_IMPLICIT_CROSS_JOIN_RE = re.compile(
         r"\bFROM\s+[A-Za-z0-9_]+(?:\s+[A-Za-z0-9_]+)?\s*,\s*[A-Za-z0-9_]+",
@@ -929,8 +930,9 @@ def _sql_guardrails(self, sql: str) -> str:
         """
         # --- BLOCKED (save server round-trip) ---
 
-        # 1. Block writes
-        if self._SQL_WRITE_RE.search(sql):
+        # 1. Block writes (strip SQL comments first to catch comment-prefixed writes)
+        sql_no_comments = self._SQL_COMMENT_RE.sub(" ", sql).strip()
+        if self._SQL_WRITE_RE.search(sql_no_comments):
             raise ValidationError(
                 "SQL endpoint is read-only. Use client.records or "
                 "client.dataframe for write operations "
@@ -1035,8 +1037,10 @@ def _query_sql(self, sql: str) -> list[dict[str, Any]]:
         sql = sql.strip()
 
         # Block write statements FIRST (before table extraction, since
-        # UPDATE/INSERT/DELETE don't have FROM clauses)
-        if self._SQL_WRITE_RE.search(sql):
+        # UPDATE/INSERT/DELETE don't have FROM clauses).
+        # Strip SQL comments to catch e.g. /**/DELETE or --\\nDELETE.
+        sql_no_comments = self._SQL_COMMENT_RE.sub(" ", sql).strip()
+        if self._SQL_WRITE_RE.search(sql_no_comments):
             raise ValidationError(
                 "SQL endpoint is read-only. Use client.records or "
                 "client.dataframe for write operations "

tests/unit/data/test_sql_guardrails.py

@@ -78,6 +78,19 @@ def test_select_with_delete_in_where_not_blocked(self):
         result = c._sql_guardrails("SELECT TOP 10 name FROM account WHERE name = 'DELETE ME'")
         assert "SELECT" in result
 
+    @pytest.mark.parametrize(
+        "sql",
+        [
+            "/* comment */ DELETE FROM account",
+            "-- line comment\nDELETE FROM account",
+            "/* multi\nline */ DROP TABLE account",
+        ],
+    )
+    def test_comment_prefixed_writes_blocked(self, sql):
+        c = _client()
+        with pytest.raises(ValidationError, match="read-only"):
+            c._sql_guardrails(sql)
+
 
 # ===================================================================
 # 1b. Block server-rejected SQL patterns (save round-trip)