hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2457 Allow string arguments to be treated as fields

Browse Source 
Before this change, the masking could be bypassed simply by

    > set @@sql_mode='ANSI_QUOTES';
    > select concat("ssn") from person;

The reason is that as the query classifier is not aware of whether
'ANSI_QUOTES' is on or not, it will not know that what above appears
to be the string "ssn", actually is the field name `ssn`. Consequently,
the select will not be blocked and the result returned in cleartext.

It's now possible to instruct the query classifier to report all string
arguments of functions as fields, which will prevent the above. However,
it will also mean that there may be false positives.
This commit is contained in:
Johan Wikman
2019-05-02 14:19:44 +03:00
parent 09d04a09d4
commit f09d46c8e6
4 changed files with 146 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
include/maxscale/query_classifier.h
View File

@ -30,6 +30,16 @@ typedef enum qc_init_kind
QC_INIT_BOTH = 0x03
} qc_init_kind_t;
/**
* qc_option_t defines options that affect the classification.
*/
enum qc_option_t
{
QC_OPTION_STRING_ARG_AS_FIELD = (1 << 0), /*< Report a string argument to a function as a field. */
};
const uint32_t QC_OPTION_MASK = QC_OPTION_STRING_ARG_AS_FIELD;
/**
* qc_sql_mode_t specifies what should be assumed of the statements
* that will be parsed.
@ -441,6 +451,22 @@ typedef struct query_classifier
* @param info The info to be closed.
*/
void (* qc_info_close)(QC_STMT_INFO* info);
/**
* Gets the options of the *calling* thread.
*
* @return Bit mask of values from qc_option_t.
*/
uint32_t (* qc_get_options)();
/**
* Sets the options for the *calling* thread.
*
* @param options Bits from qc_option_t.
*
* @return QC_RESULT_OK if @c options is valid, otherwise QC_RESULT_ERROR.
*/
int32_t (* qc_set_options)(uint32_t options);
} QUERY_CLASSIFIER;
/**
@ -952,4 +978,20 @@ json_t* qc_get_cache_stats_as_json();
*/
const char* qc_result_to_string(qc_parse_result_t result);
/**
* Gets the options of the *calling* thread.
*
* @return Bit mask of values from qc_option_t.
*/
uint32_t qc_get_options();
/**
* Sets the options for the *calling* thread.
*
* @param options Bits from qc_option_t.
*
* @return true if the options were valid, false otherwise.
*/
bool qc_set_options(uint32_t options);
MXS_END_DECLS