github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/sql/mysql_no_local_infile.go (about) 1 package sql 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/providers/google/sql" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckMysqlNoLocalInfile = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-GCP-0026", 15 Provider: providers.GoogleProvider, 16 Service: "sql", 17 ShortCode: "mysql-no-local-infile", 18 Summary: "Disable local_infile setting in MySQL", 19 Impact: "Arbitrary files read by attackers when combined with a SQL injection vulnerability.", 20 Resolution: "Disable the local infile setting", 21 Explanation: `Arbitrary files can be read from the system using LOAD_DATA unless this setting is disabled.`, 22 Links: []string{ 23 "https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html", 24 }, 25 Terraform: &scan.EngineMetadata{ 26 GoodExamples: terraformMysqlNoLocalInfileGoodExamples, 27 BadExamples: terraformMysqlNoLocalInfileBadExamples, 28 Links: terraformMysqlNoLocalInfileLinks, 29 RemediationMarkdown: terraformMysqlNoLocalInfileRemediationMarkdown, 30 }, 31 Severity: severity.High, 32 }, 33 func(s *state.State) (results scan.Results) { 34 for _, instance := range s.Google.SQL.Instances { 35 if instance.Metadata.IsUnmanaged() { 36 continue 37 } 38 if instance.DatabaseFamily() != sql.DatabaseFamilyMySQL { 39 continue 40 } 41 if instance.Settings.Flags.LocalInFile.IsTrue() { 42 results.Add( 43 "Database instance has local file read access enabled.", 44 instance.Settings.Flags.LocalInFile, 45 ) 46 } else { 47 results.AddPassed(&instance) 48 } 49 50 } 51 return 52 }, 53 )