hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch '2.3' into develop

Browse Source
This commit is contained in:
Johan Wikman
2019-05-03 13:48:57 +03:00
parent 20afbfca76 e9144219f5
commit fb0745e3de
19 changed files with 517 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
Documentation/Filters/Database-Firewall-Filter.md
View File

@ -146,6 +146,32 @@ query itself is logged. The log messages are logged at the notice level.
Log all queries that do not match a rule. The matched user and the query is
logged. The log messages are logged at the notice level.
#### `treat_string_as_field`
This optional parameter specifies how the database firewall should treat
strings. If true, they will be handled as fields, which will cause column
blocking rules to match even if `ANSI_QUOTES` has been enabled and `"` is
used instead of backtick.
```
treat_string_as_field=false
```
The default value is `true`.
Note that this may cause a false positive, if a "true" string contains the
name of a column to be blocked.
#### `treat_string_arg_as_field`
This optional parameter specifies how the database firewall should treat
strings used as arguments to functions. If true, they will be handled
as fields, which will cause function column blocking rules to match even
even if `ANSI_QUOTES` has been enabled and `"` is used instead of backtick.
```
treat_string_arg_as_field=false
```
The default value is `true`.
Note that this may cause a false positive, if a "true" string contains the
name of a column to be blocked.
## Rule syntax
The rules are defined by using the following syntax:

31
Documentation/Filters/Masking.md
View File

@ -96,6 +96,26 @@ Please see the configuration parameter
[require_fully_parsed](#require_fully_parsed)
for how to change the default behaviour.
From MaxScale 2.3.7 onwards, the masking filter will treat any strings
passed to functions as if they were fields. The reason is that as the
MaxScale query classifier is not aware of whether `ANSI_QUOTES` is
enabled or not, it is possible to bypass the masking by turning that
option on.
```
mysql> set @@sql_mode = 'ANSI_QUOTES';
mysql> select concat("ssn") from managers;
```
Before this change, the content of the field `ssn` would have been
returned in clear text even if the column should have been masked.
Note that this change will mean that there may be false positives
if `ANSI_QUOTES` is not enabled and a string argument happens to
be the same as the name of a field to be masked.
Please see the configuration parameter
[treat_string_arg_as_field(#treat_string_arg_as_field)
for how to change the default behaviour.
## Limitations
The masking filter can _only_ be used for masking columns of the following
@ -215,6 +235,17 @@ Note that if this parameter is set to false, then `prevent_function_usage`,
less effective, as it with a statement that can not be fully parsed may be
possible to bypass the protection that they are intended to provide.
#### `treat_string_arg_as_field`
This optional parameter specifies how the masking filter should treat
strings used as arguments to functions. If true, they will be handled
as fields, which will cause fields to be masked even if `ANSI_QUOTES` has
been enabled and `"` is used instead of backtick.
```
treat_string_arg_as_field=false
```
The default value is `true`.
#### `check_user_variables`
This optional parameter specifies how the masking filter should