[#MXS-2851] CAST Function displays contents of Masked column

[MXS-2851] CAST Function displays contents of Masked column Created: 2020-01-27 Updated: 2020-08-25 Resolved: 2020-01-28
Status:	Closed
Project:	MariaDB MaxScale
Component/s:	masking
Affects Version/s:	2.4.5
Fix Version/s:	2.3.17, 2.4.7

Type:

Bug

Priority:

Major

Reporter:

Chris Calender (Inactive)

Assignee:

Johan Wikman

Resolution:

Fixed

Votes:

Labels:

None

Description

The CAST function allows one to see the contents of a masked column.

Consider the following example where masking is set up to mask the column `SSN`.

A normal SELECT of this column shows it masked:

MariaDB [(none)]> SELECT SSN FROM employees.employees;

+-------------+

| SSN         |

+-------------+

| *********** |

+-------------+

And a SELECT using a function like CAT() shows it is properly blocked (with prevent_function_usage=1 (true), the default):

MariaDB [(none)]> SELECT CAT(SSN) FROM employees.employees;

ERROR 1141 (HY000): The function CAT is used in conjunction with a field that should be masked for 'root'@'::ffff:127.0.0.1', access is denied.

However, when we use CAST, it returns the value:

MariaDB [(none)]> SELECT CAST(SSN as CHAR) FROM employees.employees;

+-------------------+

| CAST(SSN as CHAR) |

+-------------------+

| 123-45-6789       |

+-------------------+

Generated at Thu Feb 08 04:17:08 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.