Skip to content

MDEV-40323 CONNECT engine - add file access checks for JSON UDFs#5368

Open
vaintroub wants to merge 1 commit into
10.6from
MDEV-40323
Open

MDEV-40323 CONNECT engine - add file access checks for JSON UDFs#5368
vaintroub wants to merge 1 commit into
10.6from
MDEV-40323

Conversation

@vaintroub

Copy link
Copy Markdown
Member

Check FILE_ACL privilege and secure_file_priv for the current user inside CONNECT file UDFs (json_file, jfile_make, jbin_file, bson_file, bfile_make, bbin_file).

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements FILE privilege and secure_file_priv enforcement for CONNECT’s JSON/BSON file-based UDFs, aligning their file I/O behavior with server-side file access restrictions.

Changes:

  • Introduces a shared helper (connect_can_access_file) to validate FILE privilege and secure_file_priv-allowed paths.
  • Applies the access check to JSON UDFs (json_file, jfile_make, jbin_file) and BSON UDFs (bson_file, bfile_make, bbin_file).
  • Adds an MTR test to validate JSON UDF enforcement behavior under --secure_file_priv=$MYSQL_TMP_DIR.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
storage/connect/jsonudf.cpp Adds file access enforcement to JSON file UDF entry points.
storage/connect/bsonudf.cpp Adds file access enforcement to BSON file UDF entry points.
storage/connect/filechk.cpp Implements FILE privilege + secure_file_priv path validation helper.
storage/connect/filechk.h Declares the new helper.
storage/connect/CMakeLists.txt Adds filechk.cpp/.h to CONNECT build sources.
storage/connect/mysql-test/connect/t/json_file_priv.test New MTR test covering JSON UDF enforcement scenarios.
storage/connect/mysql-test/connect/t/json_file_priv.opt Runs the test with secure_file_priv set to $MYSQL_TMP_DIR.
storage/connect/mysql-test/connect/r/json_file_priv.result Expected output for the new JSON UDF privilege test.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread storage/connect/jsonudf.cpp Outdated
Comment on lines +4559 to +4563
if (!connect_can_access_file(fn)) {
PUSH_WARNING("Access denied: FILE privilege or secure_file_priv violation");
*is_null = 1;
return NULL;
}
Comment thread storage/connect/jsonudf.cpp Outdated
Comment on lines +5817 to +5821
if (!connect_can_access_file(fn)) {
PUSH_WARNING("Access denied: FILE privilege or secure_file_priv violation");
*error = 1;
goto fin;
}
Comment thread storage/connect/bsonudf.cpp Outdated
Comment on lines +4478 to +4482
if (!connect_can_access_file(fn)) {
PUSH_WARNING("Access denied: FILE privilege or secure_file_priv violation");
*is_null = 1;
return NULL;
}
Comment thread storage/connect/bsonudf.cpp Outdated
Comment on lines +6074 to +6078
if (!connect_can_access_file(fn)) {
PUSH_WARNING("Access denied: FILE privilege or secure_file_priv violation");
*error = 1;
goto fin;
}
Comment thread storage/connect/bsonudf.cpp Outdated
Comment on lines +4478 to +4482
if (!connect_can_access_file(fn)) {
PUSH_WARNING("Access denied: FILE privilege or secure_file_priv violation");
*is_null = 1;
return NULL;
}
Comment thread storage/connect/filechk.h
Comment on lines +1 to +4
/* File access checks for CONNECT file UDFs */
#pragma once
bool connect_can_access_file(const char *path);

Comment on lines +35 to +37
--echo # User without FILE privilege
create user unprivileged@localhost;
grant select ON *.* TO unprivileged@localhost;
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

@vaintroub vaintroub changed the title MDEV-40323: CONNECT engine - add file access checks for JSON UDFs MDEV-40323 CONNECT engine - add file access checks for JSON UDFs Jul 9, 2026
@vaintroub vaintroub requested a review from Copilot July 9, 2026 17:35

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Comment thread storage/connect/jsonudf.cpp Outdated
Comment on lines +4478 to +4486
if (!fn) {
PUSH_WARNING("Missing file name");
*is_null = 1;
return NULL;
} else if (!connect_can_access_file(fn)) {
PUSH_WARNING("Access denied: FILE privilege or secure_file_priv violation");
*is_null = 1;
return NULL;
}
Comment thread storage/connect/filechk.cpp Outdated
Comment on lines +35 to +38
fn_format(real_path, path, mysql_real_data_home, "",
MY_RELATIVE_PATH | MY_UNPACK_FILENAME | MY_RETURN_REAL_PATH);

return is_secure_file_path(real_path);
Check FILE_ACL and secure_file_priv for the current user inside CONNECT
file UDFs (json_file, jfile_make, jbin_file, bson_file, bfile_make,
bbin_file).

Fix NULL filename: guard GetFileLength in jbin_file_init and check for
NULL fn in UDF bodies before the access check, so NULL arguments report
"Missing file name" instead of "Access denied".
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Development

Successfully merging this pull request may close these issues.

3 participants