Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

禁止普通账号查询mysql.user (hhyo#1202) #1208

Closed
wants to merge 1 commit into from
Closed

禁止普通账号查询mysql.user (hhyo#1202) #1208

wants to merge 1 commit into from

Conversation

weideguo
Copy link
Collaborator

No description provided.

@request-info
Copy link

request-info bot commented Oct 26, 2021

你好!感谢你反馈的问题/bug,但是你的描述好像是空的,我们需要你完整的信息,这样才能帮你解决问题 如果不知道怎么写,在新建issue的时候有若干个模板可供选择,祝好!

@codecov
Copy link

codecov bot commented Oct 26, 2021

Codecov Report

Merging #1208 (c07e05c) into master (38a1c8c) will decrease coverage by 0.01%.
The diff coverage is 40.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1208      +/-   ##
==========================================
- Coverage   77.95%   77.94%   -0.02%     
==========================================
  Files          76       76              
  Lines       11963    11968       +5     
==========================================
+ Hits         9326     9328       +2     
- Misses       2637     2640       +3
Impacted Files Coverage Δ
sql/query.py 70.32% <40.00%> (-1.02%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 38a1c8c...c07e05c. Read the comment docs.

@LeoQuote
Copy link
Collaborator

LeoQuote commented Nov 3, 2021

超级用户也不应该看这个表吧, 在 engine 层全封了吧

@weideguo
Copy link
Collaborator Author

weideguo commented Nov 5, 2021

实际还是有可能需要在前端查询表mysql.user的,但确实在engine修改会更优雅一些。
如果要这么做使用以下添加

补丁
mysql.py.20211105.patch

diff --git a/sql/engines/mysql.py b/sql/engines/mysql.py
index 415b426..88a4f23 100644
--- a/sql/engines/mysql.py
+++ b/sql/engines/mysql.py
@@ -191,6 +191,12 @@ class MysqlEngine(EngineBase):
             if explain_result.error:
                 result['bad_query'] = True
                 result['msg'] = explain_result.error
+        # 不应该查看mysql.user表
+        if re.match('.*(\\s)+(mysql|`mysql`)(\\s)*\\.(\\s)*(user|`user`)((\\s)*|;).*',sql.lower().replace('\n','')) or\
+           (db_name=="mysql" and  re.match('.*(\\s)+(user|`user`)((\\s)*|;).*',sql.lower().replace('\n',''))):
+            result['bad_query'] = True
+            result['msg'] = '您无权查看该表'
+
         return result
 
     def filter_sql(self, sql='', limit_num=0):

应用补丁

cd /opt/archery 
patch -p1 < mysql.py.20211105.patch

@LeoQuote
Copy link
Collaborator

LeoQuote commented Nov 8, 2021

请提交到 pr吧

@hhyo
Copy link
Owner

hhyo commented Nov 10, 2021

#1222

@hhyo hhyo closed this Nov 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
请提供更多信息
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@weideguo @LeoQuote @hhyo