validateExtraConnectionParameters validates extra connection parameters for security risks.
(engine storepb.Engine, params map[string]string)
| 1207 | |
| 1208 | // validateExtraConnectionParameters validates extra connection parameters for security risks. |
| 1209 | func validateExtraConnectionParameters(engine storepb.Engine, params map[string]string) error { |
| 1210 | // Validate MySQL-compatible engines |
| 1211 | switch engine { |
| 1212 | case storepb.Engine_MYSQL, storepb.Engine_MARIADB, storepb.Engine_OCEANBASE, storepb.Engine_TIDB: |
| 1213 | for key := range params { |
| 1214 | normalizedKey := strings.ToLower(strings.TrimSpace(key)) |
| 1215 | if normalizedKey == "allowallfiles" { |
| 1216 | // Disables file allowlist for LOAD DATA LOCAL INFILE and allows all files (might be insecure) |
| 1217 | return errors.Errorf("connection parameter %q is not allowed for security reasons. This parameter can allow a malicious database server to read arbitrary files from the client", key) |
| 1218 | } |
| 1219 | } |
| 1220 | default: |
| 1221 | // No validation needed for other engines |
| 1222 | } |
| 1223 | return nil |
| 1224 | } |