fix: support pandas @variable syntax in query validator and fix CI failures

kunal-10-cloud · kunal-10-cloud · commit 6fafe9b75307 · 2026-04-14T19:35:28.000+05:30
- Preprocess @variable references (e.g., `taxon in @taxon_list`) by replacing them with safe placeholder identifiers before AST parsing, since @ is pandas-specific syntax not valid in Python AST - Fix test_non_string_input to accept both UnsafeQueryError and TypeError (typeguard may intercept the type check first) - Add tests for @variable reference patterns Fixes 22 CI test failures caused by sample_query_options using @var syntax
diff --git a/malariagen_data/anoph/safe_query.py b/malariagen_data/anoph/safe_query.py
@@ -21,8 +21,14 @@
 """
 
 import ast
+import re
 from typing import Optional, Set
 
+# Pattern matching pandas @variable references in query strings.
+# These are not valid Python but are a pandas feature for referencing
+# local/global variables via the `local_dict` or `global_dict` kwargs.
+_AT_VAR_PATTERN = re.compile(r"@([A-Za-z_][A-Za-z0-9_]*)")
+
 
 # AST node types that are safe in query expressions.
 _SAFE_NODE_TYPES = (
@@ -137,8 +143,14 @@ def validate_query(query: str, allowed_names: Optional[Set[str]] = None) -> None
     if not query:
         raise UnsafeQueryError("Query string must not be empty.")
 
+    # Replace pandas @variable references with plain identifiers so the
+    # expression can be parsed as valid Python.  The replaced names are
+    # prefixed with ``_at_`` to avoid collisions with real column names
+    # while remaining dunder-free.
+    query_for_parse = _AT_VAR_PATTERN.sub(r"_at_\1", query)
+
     try:
-        tree = ast.parse(query, mode="eval")
+        tree = ast.parse(query_for_parse, mode="eval")
     except SyntaxError as e:
         raise UnsafeQueryError(f"Query string is not a valid expression: {e}") from e
 
diff --git a/tests/anoph/test_safe_query.py b/tests/anoph/test_safe_query.py
@@ -77,6 +77,16 @@ def test_list_literal_in(self):
     def test_whitespace_handling(self):
         validate_query("  country == 'Ghana'  ")
 
+    def test_at_variable_reference(self):
+        """Pandas @var syntax for referencing local variables."""
+        validate_query("sex_call in @sex_call_list")
+
+    def test_at_variable_in_compound(self):
+        validate_query("taxon in @taxon_list and year > 2015")
+
+    def test_at_variable_equality(self):
+        validate_query("country == @target_country")
+
 
 class TestValidateQueryRejectsMalicious:
     """Ensure that code injection attempts are blocked."""
@@ -171,7 +181,7 @@ def test_whitespace_only(self):
             validate_query("   ")
 
     def test_non_string_input(self):
-        with pytest.raises(UnsafeQueryError, match="must be a string"):
+        with pytest.raises((UnsafeQueryError, TypeError)):
             validate_query(123)
 
     def test_syntax_error(self):
