feat: allow applying session settings to queries

[karl-power]

Closes HDX-3154

This PR adds a feature that allows the user to add settings to a source. These settings are then added to the end of every query that is rendered through the renderChartConfig function, along with any other chart specific settings.

See: https://clickhouse.com/docs/sql-reference/statements/select#settings-in-select-query

Most of the work was to pass the source or source.querySettings value through the code to the renderChartConfig calls and to update the related tests. There are also some UI changes in the SourceForm components.

SQLParser.Parser from the node-sql-parser throws an error when it encounters a SETTINGS clause in a sql string, so a function was added to remove that clause from any sql that is passed to the parser. It assumes that the SETTINGS clause will always be at the end of the sql string, it removes any part of the string including and after the SETTINGS clause.

Screen.Recording.2026-01-16.at.12.42.35.mov

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
hyperdx-v2-oss-app	Ready	Preview, Comment	Jan 19, 2026 4:46pm

[changeset-bot]

🦋 Changeset detected

Latest commit: f4824e9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@hyperdx/common-utils	Minor
@hyperdx/api	Minor
@hyperdx/app	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[claude]

Security Review

Critical Issues:

• SQL Injection vulnerability in renderChartConfig.ts:930 - User-controlled setting and value are directly interpolated into SQL without escaping. Use parameterized queries with Identifier and String types.

High Priority:

• Missing input validation in types.ts:606-608 - QuerySettingsSchema accepts any strings. Add whitelist of allowed ClickHouse settings plus regex validation for setting names.
• No string length limits in validation - Add max length constraints to prevent DoS.

Medium Priority:

• Case sensitivity bug in utils.ts:707 - sql.toUpperCase().indexOf() returns uppercase position but operates on original string. Use regex instead.

Recommendation: Block merge until SQL injection is fixed. This allows arbitrary SQL execution through source settings.

[github-actions]

E2E Test Results

✅ All tests passed • 60 passed • 4 skipped • 759s

Status	Count
✅ Passed	60
❌ Failed	0
⚠️ Flaky	1
⏭️ Skipped	4

Tests ran across 4 shards in parallel.

View full report →

[brandon-pereira]

We may want to limit some of the supported settings in the UI.. or have exclusions.

For example, max_execution_time does not work because we add it in the request headers from the Query Timeout (seconds) option

[karl-power]

It looks like the settings configured at the source level and applied per query take precedence over those passed directly to the CH client. Maybe that could be useful if a user wanted to overwrite?

[brandon-pereira]

Hmm - definitely worth raising as a question to the team - not sure this should be an override or if global settings should have higher priority.

[brandon-pereira]

I think we need to check if its numberish and remove the quotes- because I get this error atm