[MXS-1301] Whitelisting of functions using dbfwfilter. Created: 2017-06-28  Updated: 2017-08-07  Resolved: 2017-07-06

Status: Closed
Project: MariaDB MaxScale
Component/s: dbfwfilter
Affects Version/s: None
Fix Version/s: 2.2.0

Type: Task Priority: Major
Reporter: Johan Wikman Assignee: markus makela
Resolution: Fixed Votes: 0
Labels: None

Sprint: 2017-37

 Description   

It is possible to bypass the masking performed by the masking filter by using a function.

E.g.

> select a from tbl;
 
+-------+
 
| a     |
 
+-------+
 
| XXXXX |
 
+-------+
 
> select concat(a) from tbl;
 
+-----------+
 
| concat(a) |
 
+-----------+
 
| hello     |
 
+-----------+

This can be prevented using the firewall filter, but that requires you to explicitly specify each and every function, which is quite unpractical.

With the firewall filter, it should be possible to easily

  • block all functions, and
  • whitelist specific functions.

 Comments   
Comment by markus makela [ 2017-07-06 ]

If the filter is configured with action=allow and a function type rule is defined, queries which do not use functions match the function rule.

Comment by Dipti Joshi (Inactive) [ 2017-08-07 ]

markus makela Can you please give example configuration of dbfirewall filter(full) that blocks all functions on a column

Comment by markus makela [ 2017-08-07 ]

I did a quick test to figure out how the function whitelisting happens and I happened to spot a minor bug in the function type rule. Currently the syntax does not allow an empty set of function names to be given as a value for a function type rule. I've reported this in MXS-1345.

Meanwhile, the following rule file only allows the name_const function to be used with the name and address columns.

rule wl_columns deny columns name address
 
rule wl_function deny function name_const
 
users %@% match all rules wl_columns wl_function

Here's the configuration file for the rule file.

[fw]
 
type=filter
 
module=dbfwfilter
 
rules=/home/markusjm/build/rules
 
action=allow

A problematic fact about these types of rules is that the list of allowed columns is applied to all columns instead of a set of specified columns. This is partly due to the lack of expressiveness of the rule language of the dbfwfilter.

Comment by Dipti Joshi (Inactive) [ 2017-08-07 ]

markus makela If the rule applies to function on call columns, that is a defect. A function should be specified on per column basis as well. I have created MXS-1346 to report it.

Generated at Thu Feb 08 04:05:42 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.