mirror of
https://github.com/FirebirdSQL/firebird-qa.git
synced 2025-01-22 21:43:06 +01:00
392 lines
20 KiB
Python
392 lines
20 KiB
Python
#coding:utf-8
|
|
#
|
|
# id: bugs.core_4731
|
|
# title: Prohibit an ability to issue DML or DDL statements on RDB$ tables
|
|
# decription:
|
|
# Integral test for verifying ability to change system tables by non-privileged user and by those
|
|
# who have been granted with RDB$ADMIN role.
|
|
# Main idea: read system tables (hereafter - 'ST') metadata and generate all possible DML and DDL
|
|
# statements that are intended to:
|
|
# a) restrict ST by creating new table with foreign key to selected ST (if it has PK or UK);
|
|
# b) change data by issuing INSERT / UPDATE / DELETE statements; also try SELECT ... WITH LOCK;
|
|
# c) change metadata: add column, alter column (drop NULL constraint, add new contraint, add DEFAULT value),
|
|
# drop column;
|
|
# d) aux. actions: attempt to drop ST.
|
|
# *** 11-apr-2018: EXCLUDED attempt to create index on ST: now it is allowed, see CORE-5746 ***
|
|
# e) make indirect changes: apply ALTER SEQUENCE statement for system generators
|
|
#
|
|
# Test contains following statements and procedures:
|
|
# 1) creating two users, one of them is granted with role RDB$ADMIN.
|
|
# Both these users are granted to create/alter/drop any kinds of database objects.
|
|
# 2) creating several user objects (domain, exception, collation, sequence, master/detail tables, trigger,
|
|
# view, stanalone procedure and standalone function and package). These objects are created in order
|
|
# to add some data in system tables that can be later actually affected by vulnerable expressions;
|
|
# 3) proc sp_gen_expr_for_creating_fkeys:
|
|
# reads definition of every system table and if it has PK/UK than generate expressions for item "a":
|
|
# they will create completely new table with set of fields which id appropriate to build FOREIGN KEY
|
|
# to selected ST. Generated expressions are added to special table `vulnerable_on_sys_tables`;
|
|
# 4) proc sp_gen_expr_for_direct_change:
|
|
# reads definition of every system table and generates DML and DDL expressions for items "b" ... "e" described
|
|
# in the previous section. These expressions are also added to table `vulnerable_on_sys_tables`;
|
|
# 5) proc sp_run_vulnerable_expressions:
|
|
# reads expressions from table `vulnerable_on_sys_tables` and tries to run each of them via ES/EDS with user
|
|
# and role that are passed as input arguments. If expression raises exception than this SP will log its gdscode
|
|
# in WHEN ANY block and expression then is suppressed.
|
|
# If expression PASSES successfully than this SP *also* will log this event.
|
|
# 6) two calls of sp_run_vulnerable_expressions: one for non-privileged user and second for user with role RDB$ADMIN.
|
|
# 7) select values of raised gdscodes (distinct) in order to check that only ONE gdscode occured (335544926).
|
|
# 8) select expressions that were PASSED without exceptions.
|
|
#
|
|
# Checked on:
|
|
# 3.0.4.32947: OK, SS: 22s, CS: 37s
|
|
# 4.0.0.955: OK, SS: 35s, CS: 33s
|
|
#
|
|
# REFACTORED 18.02.2020: most of initial code was moved into $files_location/core_4731.sql; changed test_type to 'Python'.
|
|
# Checked 18.02.2020 afte refactoring:
|
|
# 4.0.0.1773 SS: 11.759s.
|
|
# 4.0.0.1773 SC: 15.374s.
|
|
# 4.0.0.1773 CS: 13.561s.
|
|
# 3.0.6.33247 SS: 8.431s.
|
|
# 3.0.6.33247 SC: 11.419s.
|
|
# 3.0.6.33247 CS: 10.846s.
|
|
#
|
|
# tracker_id: CORE-4731
|
|
# min_versions: ['3.0']
|
|
# versions: 3.0
|
|
# qmid: None
|
|
|
|
import pytest
|
|
from pathlib import Path
|
|
from firebird.qa import db_factory, python_act, Action, user_factory, User
|
|
from firebird.driver import ShutdownMode, ShutdownMethod
|
|
|
|
# version: 3.0
|
|
# resources: None
|
|
|
|
substitutions_1 = []
|
|
|
|
init_script_1 = """"""
|
|
|
|
db_1 = db_factory(sql_dialect=3, init=init_script_1)
|
|
|
|
# test_script_1
|
|
#---
|
|
#
|
|
# import os
|
|
# import sys
|
|
# import subprocess
|
|
# import time
|
|
# from fdb import services
|
|
#
|
|
# os.environ["ISC_USER"] = user_name
|
|
# os.environ["ISC_PASSWORD"] = user_password
|
|
#
|
|
# this_db = db_conn.database_name
|
|
# db_conn.close()
|
|
#
|
|
# dba_privileged_name = 'tmp_c4731_cooldba'
|
|
# non_privileged_name = 'tmp_c4731_manager'
|
|
#
|
|
# #-----------------------------------
|
|
#
|
|
# def flush_and_close(file_handle):
|
|
# # https://docs.python.org/2/library/os.html#os.fsync
|
|
# # If you're starting with a Python file object f,
|
|
# # first do f.flush(), and
|
|
# # then do os.fsync(f.fileno()), to ensure that all internal buffers associated with f are written to disk.
|
|
# global os
|
|
#
|
|
# file_handle.flush()
|
|
# os.fsync(file_handle.fileno())
|
|
#
|
|
# file_handle.close()
|
|
#
|
|
# #--------------------------------------------
|
|
#
|
|
# def cleanup( f_names_list ):
|
|
# global os
|
|
# for i in range(len( f_names_list )):
|
|
# if os.path.isfile( f_names_list[i]):
|
|
# os.remove( f_names_list[i] )
|
|
# if os.path.isfile( f_names_list[i]):
|
|
# print('ERROR: can not remove file ' + f_names_list[i])
|
|
#
|
|
# #--------------------------------------------
|
|
#
|
|
#
|
|
# f_sql=open(os.path.join(context['files_location'],'core_4731.sql'),'r')
|
|
# sql_for_prepare = f_sql.read()
|
|
# f_sql.close()
|
|
#
|
|
# f_pre_sql = open( os.path.join(context['temp_directory'],'tmp_core_4731_pre.sql'), 'w')
|
|
# f_pre_sql.write( sql_for_prepare % dict(globals(), **locals()) )
|
|
# flush_and_close( f_pre_sql )
|
|
#
|
|
# f_pre_log = open( '.'.join( (os.path.splitext( f_pre_sql.name )[0], 'log') ), 'w')
|
|
# f_pre_err = open( '.'.join( (os.path.splitext( f_pre_sql.name )[0], 'err') ), 'w')
|
|
# subprocess.call( [ context['isql_path'], dsn, '-q', '-i', f_pre_sql.name ], stdout = f_pre_log, stderr = f_pre_err)
|
|
# flush_and_close( f_pre_log )
|
|
# flush_and_close( f_pre_err )
|
|
#
|
|
# runProgram( context['gfix_path'],[dsn, '-shut','full','-force','0'] )
|
|
# runProgram( context['gfix_path'],[dsn, '-online'] )
|
|
#
|
|
# sql_run='''
|
|
# -- ###################################################################################
|
|
# -- R U N A S N O N - P R I V I L E G E D U S E R
|
|
# -- ###################################################################################
|
|
# execute procedure sp_run_vulnerable_expressions('%(non_privileged_name)s', '123', 'NONE');
|
|
#
|
|
# -- Note: as of build 3.0.31810, we can SKIP restoring of 'pure-state' of RDB$ tables
|
|
# -- after this SP because non-privileged user can NOT change enything.
|
|
# -- All his attempts should FAIL, system tables should be in unchanged state.
|
|
#
|
|
# set list off;
|
|
# set heading off;
|
|
#
|
|
# select '-- Executed with role: '||trim(( select actual_role from vulnerable_on_sys_tables rows 1 ))
|
|
# ||'. Expressions that passes WITHOUT errors:' as msg
|
|
# from rdb$database
|
|
# ;
|
|
#
|
|
# commit; -- 11-04-2018, do not remove!
|
|
# set transaction no wait;
|
|
#
|
|
# set list on;
|
|
# select count(*) as "-- count_of_passed: "
|
|
# from v_passed;
|
|
#
|
|
# set list on;
|
|
# select * from v_passed;
|
|
#
|
|
# set list on;
|
|
# select distinct vulnerable_gdscode as "-- gdscode list for blocked:"
|
|
# from vulnerable_on_sys_tables
|
|
# where vulnerable_gdscode is distinct from -1;
|
|
#
|
|
# -- #########################################################################################
|
|
# -- R U N A S U S E R W H O I S G R A N T E D W I T H R B D $ A D M I N
|
|
# -- #########################################################################################
|
|
# execute procedure sp_run_vulnerable_expressions('%(dba_privileged_name)s', '123', 'RDB$ADMIN');
|
|
#
|
|
# set list off;
|
|
# set heading off;
|
|
#
|
|
# select '-- Executed with role: '||trim(( select actual_role from vulnerable_on_sys_tables rows 1 ))
|
|
# ||'. Expressions that passes WITHOUT errors:' as msg
|
|
# from rdb$database
|
|
# ;
|
|
# commit; -- 11-04-2018, do not remove!
|
|
#
|
|
# set list on;
|
|
# select count(*) as "-- count_of_passed: "
|
|
# from v_passed;
|
|
#
|
|
# set list on;
|
|
# select * from v_passed;
|
|
#
|
|
# set list on;
|
|
# select distinct vulnerable_gdscode as "-- gdscode list for blocked:"
|
|
# from vulnerable_on_sys_tables
|
|
# where vulnerable_gdscode is distinct from -1;
|
|
#
|
|
# ----------------
|
|
# commit;
|
|
#
|
|
# connect '%(dsn)s' user '%(user_name)s' password '%(user_password)s';
|
|
#
|
|
# -- ||||||||||||||||||||||||||||
|
|
# -- ###################################||| FB 4.0+, SS and SC |||##############################
|
|
# -- ||||||||||||||||||||||||||||
|
|
# -- If we check SS or SC and ExtConnPoolLifeTime > 0 (config parameter FB 4.0+) then current
|
|
# -- DB (bugs.core_NNNN.fdb) will be 'captured' by firebird.exe process and fbt_run utility
|
|
# -- will not able to drop this database at the final point of test.
|
|
# -- Moreover, DB file will be hold until all activity in firebird.exe completed and AFTER this
|
|
# -- we have to wait for <ExtConnPoolLifeTime> seconds after it (discussion and small test see
|
|
# -- in the letter to hvlad and dimitr 13.10.2019 11:10).
|
|
# -- This means that one need to kill all connections to prevent from exception on cleanup phase:
|
|
# -- SQLCODE: -901 / lock time-out on wait transaction / object <this_test_DB> is in use
|
|
# -- #############################################################################################
|
|
# delete from mon$attachments where mon$attachment_id != current_connection;
|
|
# commit;
|
|
#
|
|
# drop user %(dba_privileged_name)s;
|
|
# drop user %(non_privileged_name)s;
|
|
# commit;
|
|
# ''' % dict(globals(), **locals())
|
|
#
|
|
# f_sql_run = open( os.path.join(context['temp_directory'],'tmp_core_4731_run.sql'), 'w')
|
|
# f_sql_run.write( sql_run % dict(globals(), **locals()) )
|
|
# flush_and_close( f_sql_run )
|
|
#
|
|
# f_run_log = open( '.'.join( (os.path.splitext( f_sql_run.name )[0], 'log') ), 'w')
|
|
# f_run_err = open( '.'.join( (os.path.splitext( f_sql_run.name )[0], 'err') ), 'w')
|
|
# subprocess.call( [ context['isql_path'], dsn, '-q', '-i', f_sql_run.name ], stdout = f_run_log, stderr = f_run_err)
|
|
# flush_and_close( f_run_log )
|
|
# flush_and_close( f_run_err )
|
|
#
|
|
# # Check results:
|
|
# # ==============
|
|
#
|
|
# # 1. Print UNEXPECTED output:
|
|
# #############################
|
|
# for f in (f_pre_log, f_pre_err):
|
|
# with open( f.name,'r') as f:
|
|
# for line in f:
|
|
# if line.strip():
|
|
# print( 'UNEXPECTED '+('STDOUT' if f == f_pre_log else 'STDERR')+' WHEN PREPARE DB: ' + line )
|
|
#
|
|
# with open( f_run_err.name,'r') as f:
|
|
# for line in f:
|
|
# if line.strip():
|
|
# print( 'UNEXPECTED STDERR WHEN RUN: ' + line )
|
|
#
|
|
# # 2. Print EXPECTED output:
|
|
# ###########################
|
|
# with open( f_run_log.name,'r') as f:
|
|
# for line in f:
|
|
# if line.strip():
|
|
# print( line )
|
|
#
|
|
# # Cleanup
|
|
# #########
|
|
# cleanup( [ i.name for i in (f_pre_sql,f_pre_log,f_pre_err,f_sql_run,f_run_log,f_run_err) ] )
|
|
#
|
|
#
|
|
#---
|
|
|
|
act_1 = python_act('db_1', substitutions=substitutions_1)
|
|
|
|
expected_stdout_1 = """
|
|
-- Executed with role: NONE. Expressions that passes WITHOUT errors:
|
|
-- count_of_passed: 0
|
|
-- gdscode list for blocked: 335544926
|
|
|
|
-- Executed with role: RDB$ADMIN. Expressions that passes WITHOUT errors:
|
|
-- count_of_passed: 23
|
|
VULNERABLE_EXPR insert into RDB$BACKUP_HISTORY(RDB$BACKUP_ID , RDB$TIMESTAMP , RDB$BACKUP_LEVEL , RDB$GUID , RDB$SCN , RDB$FILE_NAME) values(null, null, null, null, null, null) returning rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR delete from RDB$DB_CREATORS t rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR insert into RDB$DB_CREATORS(RDB$USER , RDB$USER_TYPE) values(null, null) returning rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$DB_CREATORS t set t.RDB$USER = 'C' rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$DB_CREATORS t set t.RDB$USER = null rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$DB_CREATORS t set t.RDB$USER_TYPE = 32767 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$DB_CREATORS t set t.RDB$USER_TYPE = null rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$FUNCTIONS t set t.RDB$FUNCTION_SOURCE = null where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$PACKAGES t set t.RDB$PACKAGE_BODY_SOURCE = null where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$PACKAGES t set t.RDB$PACKAGE_HEADER_SOURCE = null where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$PROCEDURES t set t.RDB$PROCEDURE_SOURCE = null where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$RELATIONS t set t.RDB$VIEW_SOURCE = null where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$TRIGGERS t set t.RDB$TRIGGER_SOURCE = null where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR insert into RDB$TYPES(RDB$FIELD_NAME , RDB$TYPE , RDB$TYPE_NAME , RDB$DESCRIPTION , RDB$SYSTEM_FLAG) values(null, null, null, null, null) returning rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$TYPES t set t.RDB$DESCRIPTION = 'test_for_blob' where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$TYPES t set t.RDB$DESCRIPTION = null where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$TYPES t set t.RDB$FIELD_NAME = 'C' where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$TYPES t set t.RDB$FIELD_NAME = null where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$TYPES t set t.RDB$SYSTEM_FLAG = 32767 where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$TYPES t set t.RDB$TYPE = 32767 where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$TYPES t set t.RDB$TYPE = null where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$TYPES t set t.RDB$TYPE_NAME = 'C' where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
VULNERABLE_EXPR update RDB$TYPES t set t.RDB$TYPE_NAME = null where coalesce(rdb$system_flag,0)=0 rows 1 returning t.rdb$db_key; -- length of returned rdb$dbkey=8
|
|
-- gdscode list for blocked: 335544926
|
|
"""
|
|
|
|
dba_privileged_user = user_factory('db_1', name='tmp_c4731_cooldba', password='123')
|
|
non_privileged_user = user_factory('db_1', name='tmp_c4731_manager', password='123')
|
|
|
|
@pytest.mark.version('>=3.0')
|
|
def test_1(act_1: Action, dba_privileged_user: User, non_privileged_user: User, capsys):
|
|
# Run prepare script
|
|
prep_script = (act_1.vars['files'] / 'core_4731.sql').read_text()
|
|
prep_script = prep_script % {'dba_privileged_name': dba_privileged_user.name,
|
|
'non_privileged_name': non_privileged_user.name}
|
|
act_1.isql(switches=['-q'], input=prep_script)
|
|
#
|
|
with act_1.connect_server() as srv:
|
|
srv.database.shutdown(database=act_1.db.db_path, mode=ShutdownMode.FULL,
|
|
method=ShutdownMethod.FORCED, timeout=0)
|
|
srv.database.bring_online(database=act_1.db.db_path)
|
|
#
|
|
test_script = f"""
|
|
-- ###################################################################################
|
|
-- R U N A S N O N - P R I V I L E G E D U S E R
|
|
-- ###################################################################################
|
|
execute procedure sp_run_vulnerable_expressions('{non_privileged_user.name}', '123', 'NONE');
|
|
|
|
-- Note: as of build 3.0.31810, we can SKIP restoring of 'pure-state' of RDB$ tables
|
|
-- after this SP because non-privileged user can NOT change enything.
|
|
-- All his attempts should FAIL, system tables should be in unchanged state.
|
|
|
|
set list off;
|
|
set heading off;
|
|
|
|
select '-- Executed with role: '||trim(( select actual_role from vulnerable_on_sys_tables rows 1 ))
|
|
||'. Expressions that passes WITHOUT errors:' as msg
|
|
from rdb$database
|
|
;
|
|
|
|
commit; -- 11-04-2018, do not remove!
|
|
set transaction no wait;
|
|
|
|
set list on;
|
|
select count(*) as "-- count_of_passed: "
|
|
from v_passed;
|
|
|
|
set list on;
|
|
select * from v_passed;
|
|
|
|
set list on;
|
|
select distinct vulnerable_gdscode as "-- gdscode list for blocked:"
|
|
from vulnerable_on_sys_tables
|
|
where vulnerable_gdscode is distinct from -1;
|
|
|
|
-- #########################################################################################
|
|
-- R U N A S U S E R W H O I S G R A N T E D W I T H R B D $ A D M I N
|
|
-- #########################################################################################
|
|
execute procedure sp_run_vulnerable_expressions('{dba_privileged_user.name}', '123', 'RDB$ADMIN');
|
|
|
|
set list off;
|
|
set heading off;
|
|
|
|
select '-- Executed with role: '||trim(( select actual_role from vulnerable_on_sys_tables rows 1 ))
|
|
||'. Expressions that passes WITHOUT errors:' as msg
|
|
from rdb$database
|
|
;
|
|
commit; -- 11-04-2018, do not remove!
|
|
|
|
set list on;
|
|
select count(*) as "-- count_of_passed: "
|
|
from v_passed;
|
|
|
|
set list on;
|
|
select * from v_passed;
|
|
|
|
set list on;
|
|
select distinct vulnerable_gdscode as "-- gdscode list for blocked:"
|
|
from vulnerable_on_sys_tables
|
|
where vulnerable_gdscode is distinct from -1;
|
|
|
|
----------------
|
|
commit;
|
|
|
|
connect '{act_1.db.dsn}' user '{act_1.db.user}' password '{act_1.db.password}';
|
|
|
|
-- ||||||||||||||||||||||||||||
|
|
-- ###################################||| FB 4.0+, SS and SC |||##############################
|
|
-- ||||||||||||||||||||||||||||
|
|
-- If we check SS or SC and ExtConnPoolLifeTime > 0 (config parameter FB 4.0+) then current
|
|
-- DB (bugs.core_NNNN.fdb) will be 'captured' by firebird.exe process and fbt_run utility
|
|
-- will not able to drop this database at the final point of test.
|
|
-- Moreover, DB file will be hold until all activity in firebird.exe completed and AFTER this
|
|
-- we have to wait for <ExtConnPoolLifeTime> seconds after it (discussion and small test see
|
|
-- in the letter to hvlad and dimitr 13.10.2019 11:10).
|
|
-- This means that one need to kill all connections to prevent from exception on cleanup phase:
|
|
-- SQLCODE: -901 / lock time-out on wait transaction / object <this_test_DB> is in use
|
|
-- #############################################################################################
|
|
delete from mon$attachments where mon$attachment_id != current_connection;
|
|
commit;
|
|
"""
|
|
act_1.reset()
|
|
act_1.expected_stdout = expected_stdout_1
|
|
act_1.isql(switches=['-q'], input=test_script)
|
|
assert act_1.clean_stdout == act_1.clean_expected_stdout
|