From 033ef59c0174ef4085ace29e0aaac277dba4b2a8 Mon Sep 17 00:00:00 2001
From: Johan Wikman <johan.wikman@mariadb.com>
Date: Wed, 21 Mar 2018 20:15:44 +0200
Subject: [PATCH] MXS-1733 Match empty values

If a table/database rule has been provided then if the resultset
does not contain table/database names, then we consider it a match
(subject to the column obviously).

Otherwise a rule like

        {
            "replace": {
                "table": "info",
                "column": "email"
            },
            "with": {
                "fill": "*"
            }
        }

could be bypassed with a statement like

    SELECT * FROM info UNION SELECT * from info

as the resultset in that case will not indicate that the column emain
is from info, which it will if the statement is

    SELECT * FROM info;
---
 server/modules/filter/masking/maskingrules.cc | 12 ++++++++++--
 server/modules/filter/masking/mysql.hh        |  8 ++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/server/modules/filter/masking/maskingrules.cc b/server/modules/filter/masking/maskingrules.cc
index 5a56a0051..42ecdad13 100644
--- a/server/modules/filter/masking/maskingrules.cc
+++ b/server/modules/filter/masking/maskingrules.cc
@@ -1071,10 +1071,18 @@ bool MaskingRules::Rule::matches(const ComQueryResponse::ColumnDef& column_def,
                                  const char* zUser,
                                  const char* zHost) const
 {
+    const LEncString& table = column_def.org_table();
+    const LEncString& database = column_def.schema();
+
+    // If the resultset does not contain table and database names, as will
+    // be the case in e.g. "SELECT * FROM table UNION SELECT * FROM table",
+    // we consider it a match if a table or database have been provided.
+    // Otherwise it would be easy to bypass a table/database rule.
+
     bool match =
         (m_column == column_def.org_name()) &&
-        (m_table.empty() || (m_table == column_def.org_table())) &&
-        (m_database.empty() || (m_database == column_def.schema()));
+        (m_table.empty() || table.empty() || (m_table == table)) &&
+        (m_database.empty() || database.empty() || (m_database == database));
 
     if (match)
     {
diff --git a/server/modules/filter/masking/mysql.hh b/server/modules/filter/masking/mysql.hh
index a15df7133..47654e458 100644
--- a/server/modules/filter/masking/mysql.hh
+++ b/server/modules/filter/masking/mysql.hh
@@ -284,6 +284,14 @@ public:
         return m_length;
     }
 
+    /**
+     * @return True if the string is empty, false otherwise.
+     */
+    bool empty() const
+    {
+        return m_length == 0;
+    }
+
     /**
      * Compare for equality.
      *