Sanitize filenames in MySQLHook

[PApostol]

This PR ensures filenames in MySQLHook are sanitized, so no arbitrary SQL execution could happen with e.g. filename = "myfile; SELECT * FROM DUAL". Closes #33283.

[eladkal]

Can you please amend the commit message to a meaningful one? We generate release notes based on commit message thus it's important

[PApostol]

Can you please amend the commit message to a meaningful one? We generate release notes based on commit message thus it's important

Done, sorry, I must have replaced the main commit message accidentally.

[hussein-awala]

In the linked issue, I see:

fillename = " file; SELECT * FROM DUAL" 

Does your change remove the leading space? If not, could you add a strip on re.sub result?

[PApostol]

In the linked issue, I see:

fillename = " file; SELECT * FROM DUAL" 

Does your change remove the leading space? If not, could you add a strip on re.sub result?

The change doesn't remove leading spaces. I presumed the issue was with SQL commands following any ; - not sure if leading spaces cause any problems here. Happy to include a strip() though!

[potiuk]

In the linked issue, I see:

fillename = " file; SELECT * FROM DUAL" 

Does your change remove the leading space? If not, could you add a strip on re.sub result?

The change doesn't remove leading spaces. I presumed the issue was with SQL commands following any ; - not sure if leading spaces cause any problems here. Happy to include a strip() though!

I think it's a little bit more complex though, sheer presence of ";" is not enough, it will be " ';" that will trigger it.

I am thinking that better solution will be to actually use prepared statement in this case. Not sure if that works for this command (but there is no reason it should not):

https://dev.mysql.com/doc/connector-python/en/connector-python-api-mysqlcursorprepared.html

This is the ultimate way how you can avoid sql injection type of problems like this one.

[potiuk]

Then you do not have sanitize file name at all. It's effectively mitigated by the driver parsing the statement first and adding filename later.

[PApostol]

Regarding PREPARE statements, would changing

cur = conn.cursor()
cur.execute(
    f"""
    LOAD DATA LOCAL INFILE '{tmp_file}'
    INTO TABLE {table}
    """
)

into

cur = conn.cursor(prepared=True)
cur.execute(
    """
    LOAD DATA LOCAL INFILE '%s'
    INTO TABLE %s
    """,
    (tmp_file, table)
)

do the trick?

[potiuk]

Very much so.

[PApostol]

It looks like the above syntax doesn't sit well with MySQL 5.7!

[potiuk]

Shall we wait :)?

https://endoflife.date/mysql

Ends in 2 months and 2 weeks (31 Oct 2023)

Actually I would be qute fine to make it MySQL 8 only feature in anticipation of us dropping support in provider. Users might still use older provoders if they want to keep 5.7.

[potiuk]

One of the ways to do it is to make if (mysql 8 -> prepare, if not, don't) for now and then in 2 months we will drop it completely.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions.

[PApostol]

I wonder is this PR can still be useful in 1 month when MySQL 5.7 reaches EOL?

[potiuk]

yes

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions.

[PApostol]

Perhaps this can be merged now?

[potiuk]

Rebased it. Generatlly when we have old PRs that (for whatever reason) has not been built for some time, rebasing is firt thing to do.

[potiuk]

There was an error that looked suspiciously related (MySQL test failed but also could be flake) I re-run it - if it happens again I think you will need to fix it @PApostol

[potiuk]

Yep. it looks like:

Perhaps this can be merged now?

So ... no :) until it is fixed :)

[PApostol]

Hello, I have updated the PR, tests seem to pass now. Perhaps it can be reviewed?

[potiuk]

Cool. Thanks for fixing it :)