hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2390 Firewall should reject statements prepared from var

Browse Source 
Currently no practical way for checking what the statement
actually does and thus blanket rejection is the only alternative.
This commit is contained in:
Johan Wikman
2019-03-19 14:08:44 +02:00
parent 09d9570c7e
commit a6f52b008f
1 changed files with 62 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
server/modules/filter/dbfwfilter/dbfwfilter.cc
View File

@ -1480,71 +1480,81 @@ int DbfwSession::routeQuery(GWBUF* buffer)
if (qc_query_is_type(type, QUERY_TYPE_PREPARE_NAMED_STMT)) if (qc_query_is_type(type, QUERY_TYPE_PREPARE_NAMED_STMT))
{ {
analyzed_queue = qc_get_preparable_stmt(buffer); analyzed_queue = qc_get_preparable_stmt(buffer);
mxb_assert(analyzed_queue);
// 'analyzed_queue' will be NULL if the statement is prepared from
// a variable like in : "prepare ps from @a".
} }
SUser suser = find_user_data(this_thread->users(m_instance), user(), remote());
bool query_ok = false; bool query_ok = false;
if (command_is_mandatory(buffer)) if (!analyzed_queue)
{ {
query_ok = true; set_error("Firewall rejects statements prepared from a variable.");
} }
else if (suser) else
{ {
char* rname = NULL; SUser suser = find_user_data(this_thread->users(m_instance), user(), remote());
bool match = suser->match(m_instance, this, analyzed_queue, &rname);
switch (m_instance->get_action()) if (command_is_mandatory(buffer))
{ {
case FW_ACTION_ALLOW:
query_ok = match;
break;
case FW_ACTION_BLOCK:
query_ok = !match;
break;
case FW_ACTION_IGNORE:
query_ok = true; query_ok = true;
break;
default:
MXS_ERROR("Unknown dbfwfilter action: %d", m_instance->get_action());
mxb_assert(false);
break;
} }
else if (suser)
if (m_instance->get_log_bitmask() != FW_LOG_NONE)
{ {
if (match && m_instance->get_log_bitmask() & FW_LOG_MATCH) char* rname = NULL;
{ bool match = suser->match(m_instance, this, analyzed_queue, &rname);
MXS_NOTICE("[%s] Rule '%s' for '%s' matched by %s@%s: %s",
m_session->service->name,
rname,
suser->name(),
user().c_str(),
remote().c_str(),
get_sql(buffer).c_str());
}
else if (!match && m_instance->get_log_bitmask() & FW_LOG_NO_MATCH)
{
MXS_NOTICE("[%s] Query for '%s' by %s@%s was not matched: %s",
m_session->service->name,
suser->name(),
user().c_str(),
remote().c_str(),
get_sql(buffer).c_str());
}
}
MXS_FREE(rname); switch (m_instance->get_action())
} {
/** If the instance is in whitelist mode, only users that have a rule case FW_ACTION_ALLOW:
* defined for them are allowed */ query_ok = match;
else if (m_instance->get_action() != FW_ACTION_ALLOW) break;
{
query_ok = true; case FW_ACTION_BLOCK:
query_ok = !match;
break;
case FW_ACTION_IGNORE:
query_ok = true;
break;
default:
MXS_ERROR("Unknown dbfwfilter action: %d", m_instance->get_action());
mxb_assert(false);
break;
}
if (m_instance->get_log_bitmask() != FW_LOG_NONE)
{
if (match && m_instance->get_log_bitmask() & FW_LOG_MATCH)
{
MXS_NOTICE("[%s] Rule '%s' for '%s' matched by %s@%s: %s",
m_session->service->name,
rname,
suser->name(),
user().c_str(),
remote().c_str(),
get_sql(buffer).c_str());
}
else if (!match && m_instance->get_log_bitmask() & FW_LOG_NO_MATCH)
{
MXS_NOTICE("[%s] Query for '%s' by %s@%s was not matched: %s",
m_session->service->name,
suser->name(),
user().c_str(),
remote().c_str(),
get_sql(buffer).c_str());
}
}
MXS_FREE(rname);
}
/** If the instance is in whitelist mode, only users that have a rule
* defined for them are allowed */
else if (m_instance->get_action() != FW_ACTION_ALLOW)
{
query_ok = true;
}
} }
if (query_ok) if (query_ok)