hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2393 Reject statement that cannot be parsed completely

Browse Source 
As the masking filter must reject statements that use columns to be
masked as arguments to functions, a statement that cannot be fully
parsed must be rejected. Unless a statement can be fully parsed we
cannot know whether such usage occurs.
This commit is contained in:
Johan Wikman
2019-03-18 18:52:19 +02:00
parent c393d633fe
commit 7f1c44cf62
1 changed files with 25 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
server/modules/filter/masking/maskingfiltersession.cc
View File

@ -389,13 +389,15 @@ bool MaskingFilterSession::reject_if_function_used(GWBUF* pPacket)
zHost = ""; zHost = "";
} }
auto pred1 = [&sRules, zUser, zHost](const QC_FIELD_INFO& field_info) { if (qc_parse(pPacket, QC_COLLECT_FIELDS | QC_COLLECT_FUNCTIONS) == QC_QUERY_PARSED)
{
auto pred1 = [&sRules, zUser, zHost](const QC_FIELD_INFO& field_info) {
const MaskingRules::Rule* pRule = sRules->get_rule_for(field_info, zUser, zHost); const MaskingRules::Rule* pRule = sRules->get_rule_for(field_info, zUser, zHost);
return pRule ? true : false; return pRule ? true : false;
}; };
auto pred2 = [&sRules, zUser, zHost, &pred1](const QC_FUNCTION_INFO& function_info) { auto pred2 = [&sRules, zUser, zHost, &pred1](const QC_FUNCTION_INFO& function_info) {
const QC_FIELD_INFO* begin = function_info.fields; const QC_FIELD_INFO* begin = function_info.fields;
const QC_FIELD_INFO* end = begin + function_info.n_fields; const QC_FIELD_INFO* end = begin + function_info.n_fields;
@ -404,21 +406,33 @@ bool MaskingFilterSession::reject_if_function_used(GWBUF* pPacket)
return i != end; return i != end;
}; };
const QC_FUNCTION_INFO* pInfos; const QC_FUNCTION_INFO* pInfos;
size_t nInfos; size_t nInfos;
qc_get_function_info(pPacket, &pInfos, &nInfos); qc_get_function_info(pPacket, &pInfos, &nInfos);
const QC_FUNCTION_INFO* begin = pInfos; const QC_FUNCTION_INFO* begin = pInfos;
const QC_FUNCTION_INFO* end = begin + nInfos; const QC_FUNCTION_INFO* end = begin + nInfos;
auto i = std::find_if(begin, end, pred2); auto i = std::find_if(begin, end, pred2);
if (i != end) if (i != end)
{
std::stringstream ss;
ss << "The function " << i->name << " is used in conjunction with a field "
<< "that should be masked for '" << zUser << "'@'" << zHost << "', access is denied.";
GWBUF* pResponse = modutil_create_mysql_err_msg(1, 0, 1141, "HY000", ss.str().c_str());
set_response(pResponse);
rejected = true;
}
}
else
{ {
std::stringstream ss; std::stringstream ss;
ss << "The function " << i->name << " is used in conjunction with a field " ss << "The statement could not be fully parsed and will hence be "
<< "that should be masked for '" << zUser << "'@'" << zHost << "', access is denied."; << "rejected (masking filter).";
GWBUF* pResponse = modutil_create_mysql_err_msg(1, 0, 1141, "HY000", ss.str().c_str()); GWBUF* pResponse = modutil_create_mysql_err_msg(1, 0, 1141, "HY000", ss.str().c_str());
set_response(pResponse); set_response(pResponse);