hcq/MaxScale
hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add function blocking to dbfwfilter

Browse Source 
The dbfwfilter now supports blocking of individual functions.
This commit is contained in:
Markus Mäkelä 2017-01-10 12:03:18 +02:00
parent 990ecfc114
commit 1ceafb9723
5 changed files with 70 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Documentation/Filters/Database-Firewall-Filter.md
View File

@ -113,6 +113,12 @@ This rule blocks all queries that use the wildcard character *.
This rule expects a list of values after the `columns` keyword. These values are interpreted as column names and if a query targets any of these, it is blocked.
#### `function`
This rule expects a list of values after the `function` keyword. These values
are interpreted as function names and if a query uses any of these, it is
blocked.
#### `regex`
This rule blocks all queries matching a regex enclosed in single or double quotes.

53
server/modules/filter/dbfwfilter/dbfwfilter.c
View File

@ -110,6 +110,7 @@ typedef enum
{
RT_UNDEFINED = 0x00, /*< Undefined rule */
RT_COLUMN, /*< Column name rule*/
RT_FUNCTION, /*< Function name rule*/
RT_THROTTLE, /*< Query speed rule */
RT_PERMISSION, /*< Simple denying rule */
RT_WILDCARD, /*< Wildcard denial rule */
@ -1014,6 +1015,7 @@ static void rule_free_all(RULE* rule)
switch (rule->type)
{
case RT_COLUMN:
case RT_FUNCTION:
strlink_free((STRLINK*) rule->data);
break;
@ -1221,6 +1223,26 @@ bool define_columns_rule(void* scanner, char* columns)
return list != NULL;
}
/**
* Define the current rule as a function rule
* @param scanner Current scanner
* @param columns List of function names
*/
bool define_function_rule(void* scanner, char* columns)
{
struct parser_stack* rstack = dbfw_yyget_extra((yyscan_t) scanner);
ss_dassert(rstack);
STRLINK* list = NULL;
if ((list = strlink_push(rstack->rule->data, strip_backticks(columns))))
{
rstack->rule->type = RT_FUNCTION;
rstack->rule->data = list;
}
return list != NULL;
}
/**
* Define the topmost rule as a no_where_clause rule
* @param scanner Current scanner
@ -1897,6 +1919,7 @@ bool rule_matches(FW_INSTANCE* my_instance,
if (parse_result != QC_QUERY_PARSED)
{
if ((rulebook->rule->type == RT_COLUMN) ||
(rulebook->rule->type == RT_FUNCTION) ||
(rulebook->rule->type == RT_WILDCARD) ||
(rulebook->rule->type == RT_CLAUSE))
{
@ -1996,6 +2019,36 @@ bool rule_matches(FW_INSTANCE* my_instance,
}
break;
case RT_FUNCTION:
if (is_sql && is_real)
{
const QC_FUNCTION_INFO* infos;
size_t n_infos;
qc_get_function_info(queue, &infos, &n_infos);
for (size_t i = 0; i < n_infos; ++i)
{
const char* tok = infos[i].name;
STRLINK* strln = (STRLINK*) rulebook->rule->data;
while (strln)
{
if (strcasecmp(tok, strln->value) == 0)
{
matches = true;
sprintf(emsg, "Permission denied to function '%s'.", strln->value);
MXS_INFO("dbfwfilter: rule '%s': query uses forbidden function: %s",
rulebook->rule->name, strln->value);
msg = MXS_STRDUP_A(emsg);
break;
}
strln = strln->next;
}
}
}
break;
case RT_WILDCARD:
if (is_sql && is_real)
{

1
server/modules/filter/dbfwfilter/dbfwfilter.h
View File

@ -43,6 +43,7 @@ void define_wildcard_rule(void* scanner);
void define_where_clause_rule(void* scanner);
bool define_regex_rule(void* scanner, char* pattern);
bool define_columns_rule(void* scanner, char* columns);
bool define_function_rule(void* scanner, char* columns);
bool define_limit_queries_rule(void* scanner, int max, int timeperiod, int holdoff);
bool add_at_times_rule(void* scanner, const char* range);
void add_on_queries_rule(void* scanner, const char* sql);

10
server/modules/filter/dbfwfilter/ruleparser.y
View File

@ -37,7 +37,7 @@
%token FWTOK_RULE <strval>FWTOK_RULENAME FWTOK_USERS <strval>FWTOK_USER FWTOK_RULES FWTOK_MATCH FWTOK_ANY FWTOK_ALL FWTOK_STRICT_ALL FWTOK_DENY
%token FWTOK_WILDCARD FWTOK_COLUMNS FWTOK_REGEX FWTOK_LIMIT_QUERIES FWTOK_WHERE_CLAUSE FWTOK_AT_TIMES FWTOK_ON_QUERIES
%token <strval>FWTOK_SQLOP FWTOK_COMMENT <intval>FWTOK_INT <floatval>FWTOK_FLOAT FWTOK_PIPE <strval>FWTOK_TIME
%token <strval>FWTOK_BTSTR <strval>FWTOK_QUOTEDSTR <strval>FWTOK_STR
%token <strval>FWTOK_BTSTR <strval>FWTOK_QUOTEDSTR <strval>FWTOK_STR FWTOK_FUNCTION
/** Non-terminal symbols */
%type <strval>rulename
@ -113,6 +113,7 @@ mandatory:
{if (!define_limit_queries_rule(scanner, $2, $3, $4)){YYERROR;}}
| FWTOK_REGEX FWTOK_QUOTEDSTR {if (!define_regex_rule(scanner, $2)){YYERROR;}}
| FWTOK_COLUMNS columnlist
| FWTOK_FUNCTION functionlist
;
columnlist:
@ -122,6 +123,13 @@ columnlist:
| columnlist FWTOK_STR {if (!define_columns_rule(scanner, $2)){YYERROR;}}
;
functionlist:
FWTOK_BTSTR {if (!define_function_rule(scanner, $1)){YYERROR;}}
| FWTOK_STR {if (!define_function_rule(scanner, $1)){YYERROR;}}
| functionlist FWTOK_BTSTR {if (!define_function_rule(scanner, $2)){YYERROR;}}
| functionlist FWTOK_STR {if (!define_function_rule(scanner, $2)){YYERROR;}}
;
optional:
FWTOK_AT_TIMES timelist
| FWTOK_ON_QUERIES orlist

1
server/modules/filter/dbfwfilter/token.l
View File

@ -39,6 +39,7 @@ USTR [%-_[:alnum:][:punct:]]+
{COMMENT} return FWTOK_COMMENT;
deny|allow return FWTOK_DENY; /** This should be removed at some point */
rule return FWTOK_RULE;
function return FWTOK_FUNCTION;
no_where_clause return FWTOK_WHERE_CLAUSE;
wildcard return FWTOK_WILDCARD;
columns return FWTOK_COLUMNS;