Add AllowLoadLocalInfile connection string option. Fixes #643

Author: bgrainger

docs/content/troubleshooting/load-data-local-infile.md

@@ -0,0 +1,45 @@
+---
+lastmod: 2019-05-23
+date: 2019-05-23
+title: Load Data Local Infile
+weight: 30
+menu:
+  main:
+    parent: troubleshooting
+---
+
+# Load Data Local Infile
+
+## Background
+
+MySQL Server supports a `LOAD DATA` command that can bulk load data from a CSV or TSV file.
+This normally loads data from a file on the server, but it can load from a file on the client by using
+the `LOAD DATA LOCAL` statement, or by setting `MySqlBulkLoader.Local = true`.
+
+## Errors
+
+If you do this, you may receive one of the following errors:
+
+* The used command is not allowed with this MySQL version
+* To use MySqlBulkLoader.Local=true, set AllowLoadLocalInfile=true in the connection string.
+* To use LOAD DATA LOCAL INFILE, set AllowLoadLocalInfile=true in the connection string.
+* Use SourceStream or SslMode >= VerifyCA for LOAD DATA LOCAL INFILE.
+
+## Cause
+
+`LOAD DATA LOCAL INFILE` is disabled by default because it poses a security risk. A
+malicious server or proxy could send a fake “local infile request” packet to the client and
+read any file that the client has permission to open.
+
+For more information, see [the MySQL documentation](https://dev.mysql.com/doc/refman/8.0/en/load-data-local.html).
+
+## How to Fix
+
+To allow `LOAD DATA LOCAL INFILE` to succeed, you must set `AllowLoadLocalInfile=true`
+in the client’s connection string.
+
+If you use `MySqlBulkerLoader` and set `Local=true`, then everything should work by default.
+
+If you are manually creating a `LOAD DATA LOCAL INFILE` statement, you must be connected
+to a trusted server. This requires specifying `SslMode=VerifyCA` or `SslMode=VerifyFull` in the
+connection string. Alternatively, rewrite the code to use `MySqlBulkLoader`.

src/MySqlConnector/Core/ConnectionSettings.cs

@@ -64,6 +64,7 @@ public ConnectionSettings(MySqlConnectionStringBuilder csb)
 			MaximumPoolSize = (int) csb.MaximumPoolSize;
 
 			// Other Options
+			AllowLoadLocalInfile = csb.AllowLoadLocalInfile;
 			AllowPublicKeyRetrieval = csb.AllowPublicKeyRetrieval;
 			AllowUserVariables = csb.AllowUserVariables;
 			AllowZeroDateTime = csb.AllowZeroDateTime;
@@ -146,6 +147,7 @@ private static MySqlGuidFormat GetEffectiveGuidFormat(MySqlGuidFormat guidFormat
 		public int MaximumPoolSize { get; }
 
 		// Other Options
+		public bool AllowLoadLocalInfile { get; }
 		public bool AllowPublicKeyRetrieval { get; }
 		public bool AllowUserVariables { get; }
 		public bool AllowZeroDateTime { get; }

src/MySqlConnector/Core/ResultSet.cs

@@ -63,10 +63,12 @@ public async Task<ResultSet> ReadResultSetHeaderAsync(IOBehavior ioBehavior)
 					{
 						try
 						{
+							if (!Connection.AllowLoadLocalInfile)
+								throw new NotSupportedException("To use LOAD DATA LOCAL INFILE, set AllowLoadLocalInfile=true in the connection string. See https://fl.vu/mysql-load-data");
 							var localInfile = LocalInfilePayload.Create(payload.AsSpan());
 							if (!IsHostVerified(Connection)
 								&& !localInfile.FileName.StartsWith(MySqlBulkLoader.StreamPrefix, StringComparison.Ordinal))
-								throw new NotSupportedException("Use SourceStream or SslMode >= VerifyCA for LOAD DATA LOCAL INFILE");
+								throw new NotSupportedException("Use SourceStream or SslMode >= VerifyCA for LOAD DATA LOCAL INFILE. See https://fl.vu/mysql-load-data");
 
 							using (var stream = localInfile.FileName.StartsWith(MySqlBulkLoader.StreamPrefix, StringComparison.Ordinal) ?
 								MySqlBulkLoader.GetAndRemoveStream(localInfile.FileName) :

src/MySqlConnector/MySql.Data.MySqlClient/MySqlBulkLoader.cs

@@ -185,17 +185,31 @@ private async Task<int> LoadAsync(IOBehavior ioBehavior, CancellationToken cance
                 Connection.Open();
             }
 
+            bool closeStream = SourceStream is object;
             try
             {
+                if (Local && !Connection.AllowLoadLocalInfile)
+                    throw new NotSupportedException("To use MySqlBulkLoader.Local=true, set AllowLoadLocalInfile=true in the connection string. See https://fl.vu/mysql-load-data");
+
                 var commandString = BuildSqlCommand();
                 var cmd = new MySqlCommand(commandString, Connection, Connection.CurrentTransaction)
                 {
                     CommandTimeout = Timeout,
                 };
-                return await cmd.ExecuteNonQueryAsync(ioBehavior, cancellationToken).ConfigureAwait(false);
+                var result = await cmd.ExecuteNonQueryAsync(ioBehavior, cancellationToken).ConfigureAwait(false);
+                closeStream = false;
+                return result;
             }
             finally
             {
+                if (closeStream)
+                {
+                    using (GetAndRemoveStream(FileName))
+                    {
+                        // close the stream
+                    }
+                }
+
                 if (closeConnection)
                     Connection.Close();
             }

src/MySqlConnector/MySql.Data.MySqlClient/MySqlConnection.cs

@@ -514,6 +514,7 @@ internal async Task<CachedProcedure> GetCachedProcedure(IOBehavior ioBehavior, s
 		}
 
 		internal MySqlTransaction CurrentTransaction { get; set; }
+		internal bool AllowLoadLocalInfile => m_connectionSettings.AllowLoadLocalInfile;
 		internal bool AllowUserVariables => m_connectionSettings.AllowUserVariables;
 		internal bool AllowZeroDateTime => m_connectionSettings.AllowZeroDateTime;
 		internal bool ConvertZeroDateTime => m_connectionSettings.ConvertZeroDateTime;

src/MySqlConnector/MySql.Data.MySqlClient/MySqlConnectionStringBuilder.cs

@@ -166,6 +166,12 @@ public uint MaximumPoolSize
 		}
 
 		// Other Options
+		public bool AllowLoadLocalInfile
+		{
+			get => MySqlConnectionStringOption.AllowLoadLocalInfile.GetValue(this);
+			set => MySqlConnectionStringOption.AllowLoadLocalInfile.SetValue(this, value);
+		}
+
 		public bool AllowPublicKeyRetrieval
 		{
 			get => MySqlConnectionStringOption.AllowPublicKeyRetrieval.GetValue(this);
@@ -385,6 +391,7 @@ internal abstract class MySqlConnectionStringOption
 		public static readonly MySqlConnectionStringOption<uint> MaximumPoolSize;
 
 		// Other Options
+		public static readonly MySqlConnectionStringOption<bool> AllowLoadLocalInfile;
 		public static readonly MySqlConnectionStringOption<bool> AllowPublicKeyRetrieval;
 		public static readonly MySqlConnectionStringOption<bool> AllowUserVariables;
 		public static readonly MySqlConnectionStringOption<bool> AllowZeroDateTime;
@@ -532,6 +539,10 @@ static MySqlConnectionStringOption()
 				defaultValue: 100));
 
 			// Other Options
+			AddOption(AllowLoadLocalInfile = new MySqlConnectionStringOption<bool>(
+				keys: new[] { "AllowLoadLocalInfile", "Allow Load Local Infile" },
+				defaultValue: false));
+
 			AddOption(AllowPublicKeyRetrieval = new MySqlConnectionStringOption<bool>(
 				keys: new[] { "AllowPublicKeyRetrieval", "Allow Public Key Retrieval" },
 				defaultValue: false));

src/MySqlConnector/Protocol/Payloads/HandshakeResponse41Payload.cs

@@ -20,7 +20,7 @@ private static ByteBufferWriter CreateCapabilitiesPayload(ProtocolCapabilities s
 				(serverCapabilities & ProtocolCapabilities.PluginAuthLengthEncodedClientData) |
 				ProtocolCapabilities.MultiStatements |
 				ProtocolCapabilities.MultiResults |
-				ProtocolCapabilities.LocalFiles |
+				(cs.AllowLoadLocalInfile ? (serverCapabilities & ProtocolCapabilities.LocalFiles) : 0) |
 				(string.IsNullOrWhiteSpace(cs.Database) ? 0 : ProtocolCapabilities.ConnectWithDatabase) |
 				(cs.UseAffectedRows ? 0 : ProtocolCapabilities.FoundRows) |
 				(useCompression ? ProtocolCapabilities.Compress : ProtocolCapabilities.None) |

tests/MySqlConnector.Tests/MySqlConnectionStringBuilderTests.cs

@@ -10,6 +10,7 @@ public class MySqlConnectionStringBuilderTests
 		public void Defaults()
 		{
 			var csb = new MySqlConnectionStringBuilder();
+			Assert.False(csb.AllowLoadLocalInfile);
 			Assert.False(csb.AllowPublicKeyRetrieval);
 			Assert.False(csb.AllowUserVariables);
 			Assert.False(csb.AllowZeroDateTime);
@@ -78,6 +79,7 @@ public void ParseConnectionString()
 			{
 				ConnectionString = "Data Source=db-server;" +
 					"Initial Catalog=schema_name;" +
+					"allow load local infile=true;" +
 					"allowpublickeyretrieval = true;" +
 					"Allow User Variables=true;" +
 					"allow zero datetime=true;" +
@@ -128,6 +130,7 @@ public void ParseConnectionString()
 					"Uid=username;" +
 					"useaffectedrows=true"
 			};
+			Assert.True(csb.AllowLoadLocalInfile);
 			Assert.True(csb.AllowPublicKeyRetrieval);
 			Assert.True(csb.AllowUserVariables);
 			Assert.True(csb.AllowZeroDateTime);

tests/SideBySide/BulkLoaderSync.cs

@@ -542,13 +542,9 @@ public void BulkLoadLocalMemoryStream()
 
 		internal static string GetLocalConnectionString()
 		{
-#if BASELINE
 			var csb = AppConfig.CreateConnectionStringBuilder();
 			csb.AllowLoadLocalInfile = true;
 			return csb.ConnectionString;
-#else
-			return AppConfig.ConnectionString;
-#endif
 		}
 
 		readonly string m_testTable;