Looker Query ID API Patch Notice

Looker has made a mandatory security update available to prevent the risk of metadata exposure across authenticated Looker users sharing the same LookML model. To enable the mitigation in your instance, you might be required to change the usage of certain API endpoints. This patch affects all supported Looker versions listed in the Officially supported releases document.

What changed?

Looker has applied a mandatory security update to your system. Due to the change in behavior of some API endpoints, you will need to take action to enable the security update and adjust your usage of any updated APIs to avoid causing errors in your API scripts.

For Looker-hosted instances, this patch adds a new legacy feature, called Disallow Numeric Query IDs. When enabled, this legacy feature causes changes in the use of the following API endpoints:

• The GET /queries/<query_id> endpoint requires a slug for the query_id. A query_id that is given a numeric query ID will return a 404 error.
• The POST /render_tasks/queries/<query_id>/<result_format> endpoint requires a slug for the query_id. A query_id that is given a numeric query ID will return a 404 error.
• The GET /running_queries endpoint is restricted to Looker admins only.

For customer-hosted instances, the previous API endpoint changes will be enabled when the instance is upgraded to a Looker version that includes this patch.

What do I need to do?

Google Cloud recommends all customers complete both of the following actions:

• Update any API scripts that include any of the updated API endpoints. If you don't update your API scripts as described in the following section, this may cause errors in your applications. For instructions on how to use System Activity to view your API endpoint usage, see the "How can I tell if we use any of the updated API endpoints?" section of this document.

• Enable the patch updates. For instructions, see the section that corresponds with your Looker instance:

  • Enabling the patch updates on Looker-hosted Looker (original) instances
  • Enabling the patch updates on Looker (Google Cloud core) instances
  • Enabling the patch updates on Customer-hosted instances

Updating API scripts

If you are using one of the API endpoints listed next, you may need to take action regardless of the Looker version or API version that you are using. The recommended action is different depending on whether you are using API 3.0 or API 3.1, or API 4.0.

• GET /queries/<query_id>
• POST /render_tasks/queries/<query_id>/<result_format>
• GET /running_queries

If you are using API 4.0

If you are using API 4.0, and are using one of the endpoints listed in the previous section, make the following application code changes:

• Replace any numeric query_ids (for example, 32, 124, etc.) that are used with the GET /queries/<query_id> or POST /render_tasks/queries/<query_id>/<result_format> endpoints with the slug value for the query. For instructions on finding a query's slug value, see the section "How do I find the slug value for a query?".
• Any applications that use the GET /running_queries endpoint will be restricted to Looker admins only.

If you are using API 3.0 or 3.1

If you are using API 3.0 or API 3.1, and are using one of the endpoints listed in the previous section, make the following application code changes:

• The GET /queries/<query_id> endpoint will no longer work. Replace the GET /queries/<query_id> endpoint with the GET /queries/slug/<slug> endpoint to retrieve the same query metadata you were getting before. For instructions on finding a query's slug value, see the section "How do I find the slug value for a query?".
• The POST /render_tasks/queries/<query_id>/<result_format> endpoint will no longer work. The Looker SDKs that support API 3.1 will support both API 3.1 and API 4.0. If you are not using one of Looker's SDKs, modify the http request path to use 4.0 instead of 3.1 for that call. Then replace any numeric query_ids (for example, 32, 124, etc.) with the slug value for the query. For instructions on finding a query's slug value, see the section "How do I find the slug value for a query?".
• Any applications that use the GET /running_queries endpoint will be restricted to Looker admins only.

How do I find the slug value for a query?

You can find the slug value for a query in the following ways:

• For an Explore, you can find the slug in the Explore's URL following the qid= variable in the URL.

• You can find the slug value using associated with a numeric query ID using System Activity.

  1. From the Looker Explore menu, select the System Activity > History Explore.

  2. From the Query view, select the ID and Link dimensions.

  3. Optionally, add a filter on the ID dimension, and enter the query's numeric query ID in the Query ID filter field.

  4. Click Run.

     

  5. Click the [Query] link next to the numeric query ID in the Explore results, and that will open an Explore based on that numeric query ID.

  6. You can then use the slug in the Explore's URL, which follows the qid= variable in the URL.

Enabling the patch on Looker-hosted Looker (original) instances

Google Cloud recommends all Looker-hosted customers enable the new Disallow Numeric Query ID legacy feature.

To enable Disallow Numeric Query IDs:

1. Navigate to the Admin > Legacy panel in Looker's Admin menu.

2. Enable the Disallow Numeric Query IDs toggle:

   

Enabling the patch on Looker (Google Cloud core) instances

The patch is automatically enabled on all Looker (Google Cloud core) instances. There is nothing you need to do to enable the patch, but ensure to update any API scripts that include any of the updated API endpoints.

Enabling the patch on Customer-hosted instances

All customer-hosted instances should update their Looker instance to a version of Looker that includes the latest patch. This patch is included in the most recent update to Looker versions 23.18, 23.20, 24.0, and 24.2, and to Looker ESR versions 23.0, 23.6, 23.12, and 24.0. Ensure to update any API scripts that include any of the updated API endpoints before you update your Looker instance.

How can I tell if we use any of the updated API endpoints?

You can view a list of the API calls made to your Looker instance using the API Usage System Activity Explore.

1. From the Looker Explore menu, select the System Activity Explore, and then the API Usage view.

2. Select the Created Date > Date and Endpoint dimensions, and the Total Usage measure.

3. Add a filter on the Endpoint dimension, and in the filter field, include the following endpoints:

   • /queries/:query_id
   • /render_tasks/queries/:query_id/:result_format
   • /running_queries

4. Click Run. Looker will display usage information for those endpoints.

   

If I need more time to update my API scripts, what do I do?

Contact Looker support no later than February 21st, 5pm Pacific, and advise us that you would like to have the Disallow Numeric Query IDs legacy feature disabled until you can update your API scripts.

Are there additional steps, outside of what I need to do for this incident, that the affected parties need to do to mitigate possible adverse effects?

No

What steps is Looker taking to prevent similar issues in the future?

Looker and Google maintain a robust security program to proactively prevent and identify security flaws internally. You can find more information at https://cloud.google.com/looker/product/security.

Has Looker informed regulators?

Looker follows all appropriate regulatory requirements regarding disclosures for these types of issues.