Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate physical MySQL database and table config values before using them #9189

Merged
merged 2 commits into from
Jun 12, 2020

Conversation

pcman312
Copy link
Contributor

Adding validation to the MySQL physical backend's database & table config values.

From the MySQL docs

- Permitted characters in quoted identifiers include the full Unicode Basic Multilingual Plane (BMP), except U+0000:
    ASCII: U+0001 .. U+007F
    Extended: U+0080 .. U+FFFF 
- ASCII NUL (U+0000) and supplementary characters (U+10000 and higher) are not permitted in quoted or unquoted identifiers.
- Identifiers may begin with a digit but unless quoted may not consist solely of digits.
- Database, table, and column names cannot end with space characters. 

Also explicitly rejecting backticks, single quotes, and double quotes to prevent problems when using it in SQL queries.

* Checks the database & table names against the rules specified in the MySQL docs
@pcman312 pcman312 requested a review from a team June 10, 2020 20:18
Copy link
Contributor

@Valarissa Valarissa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. TIL a fun way to run multiple examples in a very compact form. :)

@pcman312 pcman312 merged commit 342318a into master Jun 12, 2020
@pcman312 pcman312 deleted the mysql-injection branch June 12, 2020 17:09
catsby added a commit that referenced this pull request Jun 15, 2020
* master: (36 commits)
  Minor transform docs rewording (#9223)
  Validate physical CockroachDB table config value before using it (#9191)
  Validate physical MySQL database and table config values before using them (#9189)
  add disable_iss_validation option to k8s auth docs (#9142)
  fix: configutil redeclared as imported package name (#9211)
  Integrate password policies into RabbitMQ secret engine (#9143)
  Clarify cache setting. (#9204)
  Test pre-1.4 seal migration  (#9085)
  Simple typos (#9119)
  Update contribution guidelines
  changelog++
  Add ssh signing algorithm as a role option.   (#9096)
  replacing "a key usage mode" as it is confusing (#9194)
  changelog++
  fix: invalidate cached clients after a config change in the aws secrets backend (#9186)
  website: remove whitepaper link from subnav (#9190)
  changelog++
  Improving transit batch encrypt and decrypt latencies (#8775)
  changelog++
  AWS: Add iam_groups parameter to role create/update (#8811)
  ...
andaley pushed a commit that referenced this pull request Jul 17, 2020
… them (#9189)

* Validate database & table names prior to using it in SQL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants