Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ 功能建议 ]禁止普通账号查询mysql.user #1202

Closed
weideguo opened this issue Oct 21, 2021 · 1 comment
Closed

[ 功能建议 ]禁止普通账号查询mysql.user #1202

weideguo opened this issue Oct 21, 2021 · 1 comment

Comments

@weideguo
Copy link
Collaborator

目前遇到的问题/使用障碍

如果配置mysql实例时使用的账号权限较高,且开放查询功能,会导致普通账号可以查询mysql.user表,从而造成账号密码可能泄露。

希望如何解决/实现它

增加一个补丁
query.py.20211021.patch

diff --git a/sql/query.py b/sql/query.py
index a5926f3..14de028 100644
--- a/sql/query.py
+++ b/sql/query.py
@@ -53,6 +53,16 @@ def query(request):
         result['msg'] = '页面提交参数可能为空'
         return HttpResponse(json.dumps(result), content_type='application/json')
 
+    # 禁止非超级用户查看mysql.user表
+    if not user.is_superuser:
+
+        if re.match('.*\\s(mysql|`mysql`)(\\s)*\\.(\\s)*(user|`user`)((\\s)*|;).*',sql_content.lower().replace('\n','')) or\
+           (db_name=="mysql" and  re.match('.*(user|`user`)((\\s)*|;).*',sql_content.lower().replace('\n',''))):
+
+            result['status'] = 1
+            result['msg'] = '您无权查看该表'
+            return HttpResponse(json.dumps(result), content_type='application/json')
+
     try:
         config = SysConfig()
         # 查询前的检查,禁用语句检查,语句切分

应用补丁

cd /opt/archery 
patch -p1 < query.py.20211021.patch
@hhyo
Copy link
Owner

hhyo commented Oct 26, 2021

可以提交pr

weideguo added a commit to weideguo/Archery that referenced this issue Oct 26, 2021
@weideguo
禁止普通账号查询mysql.user (hhyo#1202)
c07e05c
weideguo added a commit to weideguo/Archery that referenced this issue Nov 8, 2021
@weideguo
禁止普通账号查询mysql.user (hhyo#1202)
e3bc162
hhyo added a commit that referenced this issue Nov 10, 2021
@hhyo
Merge pull request #1222 from weideguo/pr20211108
b5d90df 
禁止普通账号查询mysql.user (#1202)
@hhyo hhyo closed this as completed Jan 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@weideguo @hhyo