Skip to content

Docs: Add SAP HANA Cloud Knowledge graph engine documentation #31392

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Docs: Add SAP HANA Cloud Knowledge graph engine documentation #31392

wants to merge 5 commits into from

Conversation

yonarw
Copy link
Contributor

@yonarw yonarw commented May 28, 2025

Description:
Adds a documentation with examples for the usage of langchain with langchain-hana and the SAP HANA Cloud Knowledge graph engine.

Issue:
None - integration documentation

Dependencies:
None

@vercel Vercel
Copy link

vercel bot commented May 28, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
langchain ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 28, 2025 1:04pm

@dosubot dosubot bot added size:XL This PR changes 500-999 lines, ignoring generated files. 🤖:docs Changes to documentation and examples, like .md, .rst, .ipynb files. Changes to the docs/ folder labels May 28, 2025
@yonarw
Copy link
Contributor Author

yonarw commented Jun 2, 2025

@eyurtsev or @ccurme could I kindly ask for feedback/review to this PR?

@eyurtsev eyurtsev self-assigned this Jun 2, 2025
@eyurtsev
Copy link
Collaborator

eyurtsev commented Jun 5, 2025

Is there any form of query sanization?

This looks like it's allowing for arbitrary queries against the database?

https://langchain-git-fork-yonarw-saphanakg-langchain.vercel.app/docs/integrations/graphs/sap_hana_graph_sparql/#executing-sparql-queries

@yonarw
Copy link
Contributor Author

yonarw commented Jun 6, 2025

It only allows queries against the knowledge graph as the query function calls a stored procedure on our plugin side.
See SPARQL_EXECUTE

@eyurtsev
Copy link
Collaborator

eyurtsev commented Jun 9, 2025

Is there a need to sanitize the query? Can a malicious actor inject sql?

@yonarw
Copy link
Contributor Author

yonarw commented Jun 10, 2025

Your concerns are right in a way, it would be possible to pass malicious sparql here in theory. But since you need a dedicated HANA connection to open your HanaRdfGraph handel in the first place, we think langchain-hana shoudn't be responsible for sanitizing in this case. If you already have a connection to HANA, you already can execute sql, sparql however you want and however your connection lets you do it.

@eyurtsev
Copy link
Collaborator

The risk profile is developers use langchain-hana package to develop an application and expose some functionality (e.g., question answering) via an endpoint. Most developers will not expect that the Q&A chain can execute privileged commands.

Is an attack possible through this code path:

# Create a SPARQL QA Chain
chain = HanaSparqlQAChain.from_llm(
    llm=llm,
    verbose=True,
    allow_dangerous_requests=True,
    graph=graph,
)
output = chain.invoke("which actors acted in Blade Runner?")

print(output["result"])

For example, could a malicious user trick the underlying LLM to drop the database?

If so, this is not a safe implementation since it's:

  1. It's surprising to a developer
  2. It's not documented as such

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@eyurtsev eyurtsev

Labels
🤖:docs Changes to documentation and examples, like .md, .rst, .ipynb files. Changes to the docs/ folder size:XL This PR changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yonarw @eyurtsev