WL14098: Add option to specify LOAD DATA LOCAL IN PATH

The purpose of this Worklog is to improve security of the LOAD DATA
LOCAL INFILE option that is used to specify a file from where to
upload data, by allowing a user to specify a single folder that is
safe to upload files from.

Author: isrgomez

lib/mysql/connector/abstracts.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2014, 2020, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, 2020, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -29,6 +29,7 @@
 """Module gathering all abstract base classes"""
 
 from abc import ABCMeta, abstractmethod, abstractproperty
+import os
 import re
 import time
 import weakref
@@ -99,6 +100,9 @@ def __init__(self, **kwargs):
         self._have_next_result = False
         self._raw = False
         self._in_transaction = False
+        self._allow_local_infile = DEFAULT_CONFIGURATION["allow_local_infile"]
+        self._allow_local_infile_in_path = (
+            DEFAULT_CONFIGURATION["allow_local_infile_in_path"])
 
         self._prepared_statements = None
 
@@ -399,9 +403,20 @@ def config(self, **kwargs):
         except KeyError:
             pass  # Missing compress argument is OK
 
-        allow_local_infile = config.get(
+        self._allow_local_infile = config.get(
             'allow_local_infile', DEFAULT_CONFIGURATION['allow_local_infile'])
-        if allow_local_infile:
+        self._allow_local_infile_in_path = config.get(
+            'allow_local_infile_in_path',
+            DEFAULT_CONFIGURATION['allow_local_infile_in_path'])
+        infile_in_path = None
+        if self._allow_local_infile_in_path:
+            infile_in_path = os.path.abspath(self._allow_local_infile_in_path)
+            if infile_in_path and os.path.exists(infile_in_path) and \
+               not os.path.isdir(infile_in_path) or \
+               os.path.islink(infile_in_path):
+                raise AttributeError("allow_local_infile_in_path must be a "
+                                     "directory")
+        if self._allow_local_infile or self._allow_local_infile_in_path:
             self.set_client_flags([ClientFlag.LOCAL_FILES])
         else:
             self.set_client_flags([-ClientFlag.LOCAL_FILES])

lib/mysql/connector/connection.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2009, 2020, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2020, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0, as
@@ -438,8 +438,39 @@ def _handle_eof(self, packet):
 
     def _handle_load_data_infile(self, filename):
         """Handle a LOAD DATA INFILE LOCAL request"""
+        file_name = os.path.abspath(filename)
+        if os.path.islink(file_name):
+            raise errors.OperationalError("Use of symbolic link is not allowed")
+        if not self._allow_local_infile and \
+           not self._allow_local_infile_in_path:
+            raise errors.DatabaseError(
+                "LOAD DATA LOCAL INFILE file request rejected due to "
+                "restrictions on access.")
+        if not self._allow_local_infile and self._allow_local_infile_in_path:
+            # validate filename is inside of allow_local_infile_in_path path.
+            infile_path = os.path.abspath(self._allow_local_infile_in_path)
+            c_path = None
+            try:
+                if PY2:
+                    c_path = os.path.commonprefix([infile_path, file_name])
+                    if not os.path.exists(c_path):
+                        raise ValueError("Can't locate path")
+                else:
+                    c_path = os.path.commonpath([infile_path, file_name])
+            except ValueError as err:
+                err_msg = ("{} while loading file `{}` and path `{}` given"
+                           " in allow_local_infile_in_path")
+                raise errors.InterfaceError(
+                    err_msg.format(str(err), file_name, infile_path))
+
+            if c_path != infile_path:
+                err_msg = ("The file `{}` is not found in the given "
+                           "allow_local_infile_in_path {}")
+                raise errors.DatabaseError(
+                    err_msg.format(file_name,infile_path))
+
         try:
-            data_file = open(filename, 'rb')
+            data_file = open(file_name, 'rb')
             return self._handle_ok(self._send_data(data_file,
                                                    send_empty_packet=True))
         except IOError:
@@ -450,7 +481,7 @@ def _handle_load_data_infile(self, filename):
                 raise errors.OperationalError(
                     "MySQL Connection not available.")
             raise errors.InterfaceError(
-                "File '{0}' could not be read".format(filename))
+                "File '{0}' could not be read".format(file_name))
         finally:
             try:
                 data_file.close()
@@ -596,8 +627,15 @@ def cmd_query(self, query, raw=False, buffered=False, raw_as_string=False):
         """
         if not isinstance(query, bytes):
             query = query.encode('utf-8')
-        result = self._handle_result(self._send_cmd(ServerCmd.QUERY, query))
-
+        try:
+            result = self._handle_result(self._send_cmd(ServerCmd.QUERY, query))
+        except errors.ProgrammingError as err:
+            if err.errno == 3948 and \
+               "Loading local data is disabled" in err.msg:
+                err_msg = ("LOAD DATA LOCAL INFILE file request rejected due "
+                           "to restrictions on access.")
+                raise errors.DatabaseError(err_msg)
+            raise
         if self._have_next_result:
             raise errors.InterfaceError(
                 'Use cmd_query_iter for statements with multiple queries.')
@@ -797,6 +835,13 @@ def is_connected(self):
             return False  # This method does not raise
         return True
 
+    def set_allow_local_infile_in_path(self, path):
+        """set local_infile_in_path
+
+        Set allow_local_infile_in_path.
+        """
+        self._allow_local_infile_in_path = path
+
     def reset_session(self, user_variables=None, session_variables=None):
         """Clears the current active session
 

lib/mysql/connector/connection_cext.py

@@ -117,6 +117,15 @@ def _server_status(self):
         """Returns the server status attribute of MYSQL structure"""
         return self._cmysql.st_server_status()
 
+    def set_allow_local_infile_in_path(self, path):
+        """set local_infile_in_path
+
+        Set allow_local_infile_in_path.
+        """
+
+        if self._cmysql:
+            self._cmysql.set_load_data_local_infile_option(path)
+
     def set_unicode(self, value=True):
         """Toggle unicode mode
 
@@ -182,7 +191,9 @@ def _open_connection(self):
             'unix_socket': self._unix_socket,
             'compress': self.isset_client_flag(ClientFlag.COMPRESS),
             'ssl_disabled': True,
-            "conn_attrs": self._conn_attrs
+            "conn_attrs": self._conn_attrs,
+            "local_infile": self._allow_local_infile,
+            "load_data_local_dir": self._allow_local_infile_in_path
         }
 
         tls_versions = self._ssl.get('tls_versions')

lib/mysql/connector/constants.py

@@ -75,6 +75,7 @@
     'force_ipv6': False,
     'auth_plugin': None,
     'allow_local_infile': False,
+    'allow_local_infile_in_path': None,
     'consume_results': False,
     'conn_attrs': None,
     'dns_srv': False,

src/include/mysql_capi.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2020, Oracle and/or its affiliates.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License, version 2.0, as
@@ -220,6 +220,9 @@ MySQL_select_db(MySQL *self, PyObject *db);
 PyObject*
 MySQL_set_character_set(MySQL *self, PyObject *args);
 
+PyObject*
+MySQL_set_load_data_local_infile_option(MySQL *self, PyObject *args);
+
 PyObject*
 MySQL_shutdown(MySQL *self, PyObject *args);
 

src/mysql_capi.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2020, Oracle and/or its affiliates.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License, version 2.0, as
@@ -1004,8 +1004,8 @@ MySQL_set_character_set(MySQL *self, PyObject *args)
 
     if (res)
     {
-    	raise_with_session(&self->session, NULL);
-    	return NULL;
+        raise_with_session(&self->session, NULL);
+        return NULL;
     }
 
     Py_DECREF(self->charset_name);
@@ -1015,6 +1015,49 @@ MySQL_set_character_set(MySQL *self, PyObject *args)
     Py_RETURN_NONE;
 }
 
+/**
+  Set the local_infile_in_path for the current session.
+
+  Set the local_infile_in_path for the current session. The
+  directory from where a load data is allowed when allow_local_infile is
+  dissabled.
+
+  Raises TypeError when the argument is not a PyString_type.
+
+  @param    self    MySQL instance
+  @param    args    allow_local_infile_in_path
+
+  @return   int
+    @retval 0   Zero for success.
+*/
+PyObject*
+MySQL_set_load_data_local_infile_option(MySQL *self, PyObject *args)
+{
+    PyObject* value;
+    int res;
+
+    if (!PyArg_ParseTuple(args, "O!", &PyStringType, &value))
+    {
+        return NULL;
+    }
+
+    IS_CONNECTED(self);
+
+    Py_BEGIN_ALLOW_THREADS
+
+    res= mysql_options(&self->session, MYSQL_OPT_LOAD_DATA_LOCAL_DIR , PyStringAsString(value));
+
+    Py_END_ALLOW_THREADS
+
+    if (res)
+    {
+        raise_with_session(&self->session, NULL);
+        return NULL;
+    }
+
+    Py_RETURN_NONE;
+}
+
 /**
   Commit the current transaction.
 
@@ -1075,6 +1118,7 @@ PyObject*
 MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
 {
     char *host= NULL, *user= NULL, *database= NULL, *unix_socket= NULL;
+    char *load_data_local_dir= NULL;
     char *ssl_ca= NULL, *ssl_cert= NULL, *ssl_key= NULL,
          *ssl_cipher_suites= NULL, *tls_versions= NULL,
          *tls_cipher_suites= NULL;
@@ -1084,6 +1128,7 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
     const char* auth_plugin;
     unsigned long client_flags= 0;
     unsigned int port= 3306, tmp_uint;
+    int local_infile= -1;
     unsigned int protocol= 0;
     Py_ssize_t pos= 0;
 #if MYSQL_VERSION_ID >= 50711
@@ -1105,16 +1150,17 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
 
     static char *kwlist[]=
     {
-        "host", "user", "password", "database",	"port", "unix_socket",
+        "host", "user", "password", "database", "port", "unix_socket",
         "client_flags", "ssl_ca", "ssl_cert", "ssl_key", "ssl_cipher_suites",
-        "tls_versions", "tls_cipher_suites",  "ssl_verify_cert",
+        "tls_versions", "tls_cipher_suites", "ssl_verify_cert",
         "ssl_verify_identity", "ssl_disabled", "compress", "conn_attrs",
+        "local_infile", "load_data_local_dir",
         NULL
     };
 #ifdef PY3
-    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzzzkzkzzzzzzO!O!O!O!O!", kwlist,
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzzzkzkzzzzzzO!O!O!O!O!iz", kwlist,
 #else
-    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzOzkzkzzzzzzO!O!O!O!O!", kwlist,
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzOzkzkzzzzzzO!O!O!O!O!iz", kwlist,
 #endif
                                      &host, &user, &password, &database,
                                      &port, &unix_socket,
@@ -1126,7 +1172,9 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
                                      &PyBool_Type, &ssl_verify_identity,
                                      &PyBool_Type, &ssl_disabled,
                                      &PyBool_Type, &compress,
-                                     &PyDict_Type, &conn_attrs))
+                                     &PyDict_Type, &conn_attrs,
+                                     &local_infile,
+                                     &load_data_local_dir))
     {
         return NULL;
     }
@@ -1141,6 +1189,26 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
     mysql_init(&self->session);
     Py_END_ALLOW_THREADS
 
+	if (local_infile == 1) {
+		unsigned int accept= 1;
+		mysql_options(&self->session, MYSQL_OPT_LOCAL_INFILE, &accept);
+
+	} else if (local_infile == 0 && load_data_local_dir != NULL) {
+		if (load_data_local_dir != NULL){
+			mysql_options(&self->session, MYSQL_OPT_LOAD_DATA_LOCAL_DIR,
+                          load_data_local_dir);
+		}
+
+	} else {
+		unsigned int denied= 0;
+		mysql_options(&self->session, MYSQL_OPT_LOCAL_INFILE, &denied);
+
+	}
+
+	if (client_flags & CLIENT_LOCAL_FILES && (local_infile != 1)){
+        client_flags= client_flags & ~CLIENT_LOCAL_FILES;
+    }
+
 #ifdef MS_WINDOWS
     if (NULL == host)
     {
@@ -1281,11 +1349,6 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
         client_flags= client_flags & ~CLIENT_CONNECT_WITH_DB;
     }
 
-    if (client_flags & CLIENT_LOCAL_FILES) {
-        unsigned int val= 1;
-        mysql_options(&self->session, MYSQL_OPT_LOCAL_INFILE, &val);
-    }
-
     if (conn_attrs != NULL)
     {
 		while (PyDict_Next(conn_attrs, &pos, &key, &value)) {

src/mysql_connector.c

@@ -217,6 +217,9 @@ static PyMethodDef MySQL_methods[]=
     {"set_character_set", (PyCFunction)MySQL_set_character_set,
      METH_VARARGS,
      "Set the default character set for the current connection"},
+    {"set_load_data_local_infile_option",
+     (PyCFunction)MySQL_set_load_data_local_infile_option, METH_VARARGS,
+     "Set the load_data_local_infile_option for the current connection"},
     {"shutdown", (PyCFunction)MySQL_shutdown,
      METH_VARARGS,
      "Ask MySQL server to shut down"},

tests/data/in_file_path/local_data_in_path.csv

@@ -0,0 +1,6 @@
+10	c1_10	c2_10
+20	c1_20	c2_20
+30	c1_30	c2_30
+40	c1_40	c2_40
+50	c1_50	c2_50
+60	c1_60	c2_60