mirror/dolt
1
0
Fork 0
mirror of https://github.com/dolthub/dolt.git synced 2026-05-21 03:24:13 -05:00
Code Issues Packages Projects Releases 168 Wiki Activity

Merge pull request #6515 from dolthub/db/sql

Browse Source 
Prevent `dolt sql` from allowing `LOAD_FILE` from directories outside of working directory
This commit is contained in:
Dustin Brown
2023-08-16 13:04:49 -07:00
committed by GitHub
parent 439dd8f493 0560968b80
commit 59033c5e56
2 changed files with 28 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
go/cmd/dolt/commands/sql.go
+12
View File
@@ -196,6 +196,18 @@ func (cmd SqlCmd) Exec(ctx context.Context, commandStr string, args []string, dE
}
}
// restrict LOAD FILE invocations to current directory
wd, err := os.Getwd()
if err != nil {
wd = "/dev/null"
}
err = sql.SystemVariables.AssignValues(map[string]interface{}{
"secure_file_priv": wd,
})
if err != nil {
return HandleVErrAndExitCode(errhand.VerboseErrorFromError(err), usage)
}
queryist, sqlCtx, closeFunc, err := cliCtx.QueryEngine(ctx)
if err != nil {
return HandleVErrAndExitCode(errhand.VerboseErrorFromError(err), usage)
integration-tests/bats/sql.bats
+16 -2
View File
@@ -2328,7 +2328,7 @@ SQL
[[ "$output" =~ "name,create_stmt,created_at,modified_at" ]] || false
[[ "$output" =~ 'p1,CREATE PROCEDURE p1() SELECT 5*5' ]] || false
[[ "$output" =~ 'p2,CREATE PROCEDURE p2() SELECT 6*6' ]] || false
run dolt sql -b -q "SET @@show_external_procedures = 0;SHOW PROCEDURE STATUS" -r=csv
[ "$status" -eq "0" ]
[[ "$output" =~ "Db,Name,Type,Definer,Modified,Created,Security_type,Comment,character_set_client,collation_connection,Database Collation" ]] || false
@@ -2859,5 +2859,19 @@ SQL
[ "$status" -eq 0 ]
[[ "$output" =~ "Database changed" ]] || false
[[ "$output" =~ "role_edges" ]] || false
}
@test "sql: prevent LOAD_FILE() from accessing files outside of working directory" {
echo "should not be able to read this" > ../dont_read.txt
echo "should be able to read this" > ./do_read.txt
run dolt sql -q "select load_file('../dont_read.txt')";
[ "$status" -eq 0 ]
[[ "$output" =~ "NULL" ]] || false
[[ "$output" != "should not be able to read this" ]] || false
run dolt sql -q "select load_file('./do_read.txt')";
[ "$status" -eq 0 ]
[[ "$output" =~ "should be able to read this" ]] || false
}