MXS-2393 Reject statement that cannot be parsed completely

As the masking filter must reject statements that use columns to be masked as arguments to functions, a statement that cannot be fully parsed must be rejected. Unless a statement can be fully parsed we cannot know whether such usage occurs.
2019-03-18 18:52:19 +02:00 · 2019-03-18 18:52:19 +02:00 · 7f1c44cf62
commit 7f1c44cf62
parent c393d633fe
1 changed files with 25 additions and 11 deletions
--- a/server/modules/filter/masking/maskingfiltersession.cc
+++ b/server/modules/filter/masking/maskingfiltersession.cc
@ -389,13 +389,15 @@ bool MaskingFilterSession::reject_if_function_used(GWBUF* pPacket)
        zHost = "";
    }

-    auto pred1 = [&sRules, zUser, zHost](const QC_FIELD_INFO& field_info) {
+    if (qc_parse(pPacket, QC_COLLECT_FIELDS | QC_COLLECT_FUNCTIONS) == QC_QUERY_PARSED)
+    {
+        auto pred1 = [&sRules, zUser, zHost](const QC_FIELD_INFO& field_info) {
            const MaskingRules::Rule* pRule = sRules->get_rule_for(field_info, zUser, zHost);

            return pRule ? true : false;
        };

-    auto pred2 = [&sRules, zUser, zHost, &pred1](const QC_FUNCTION_INFO& function_info) {
+        auto pred2 = [&sRules, zUser, zHost, &pred1](const QC_FUNCTION_INFO& function_info) {
            const QC_FIELD_INFO* begin = function_info.fields;
            const QC_FIELD_INFO* end = begin + function_info.n_fields;

@ -404,21 +406,33 @@ bool MaskingFilterSession::reject_if_function_used(GWBUF* pPacket)
            return i != end;
        };

-    const QC_FUNCTION_INFO* pInfos;
-    size_t nInfos;
+        const QC_FUNCTION_INFO* pInfos;
+        size_t nInfos;

-    qc_get_function_info(pPacket, &pInfos, &nInfos);
+        qc_get_function_info(pPacket, &pInfos, &nInfos);

-    const QC_FUNCTION_INFO* begin = pInfos;
-    const QC_FUNCTION_INFO* end = begin + nInfos;
+        const QC_FUNCTION_INFO* begin = pInfos;
+        const QC_FUNCTION_INFO* end = begin + nInfos;

-    auto i = std::find_if(begin, end, pred2);
+        auto i = std::find_if(begin, end, pred2);

-    if (i != end)
+        if (i != end)
+        {
+            std::stringstream ss;
+            ss << "The function " << i->name << " is used in conjunction with a field "
+               << "that should be masked for '" << zUser << "'@'" << zHost << "', access is denied.";
+
+            GWBUF* pResponse = modutil_create_mysql_err_msg(1, 0, 1141, "HY000", ss.str().c_str());
+            set_response(pResponse);
+
+            rejected = true;
+        }
+    }
+    else
    {
        std::stringstream ss;
-        ss << "The function " << i->name << " is used in conjunction with a field "
-           << "that should be masked for '" << zUser << "'@'" << zHost << "', access is denied.";
+        ss << "The statement could not be fully parsed and will hence be "
+           << "rejected (masking filter).";

        GWBUF* pResponse = modutil_create_mysql_err_msg(1, 0, 1141, "HY000", ss.str().c_str());
        set_response(pResponse);