capture: do not capture sensitive commands (#682)

djshow832 · web-flow · commit 4e2dca56afb5 · 2024-09-24T02:59:52.000Z
diff --git a/pkg/sqlreplay/capture/capture.go b/pkg/sqlreplay/capture/capture.go
@@ -313,8 +313,15 @@ func (c *capture) putCommand(command *cmd.Command) bool {
 			return false
 		}
 	case pnet.ComChangeUser:
-		// COM_CHANGE_USER sends auth data, so ignore it.
-		return false
+		// COM_CHANGE_USER sends auth data, change it to COM_RESET_CONNECTION.
+		command.Type = pnet.ComResetConnection
+		command.Payload = []byte{pnet.ComResetConnection.Byte()}
+	case pnet.ComQuery:
+		// Avoid password leakage.
+		if IsSensitiveSQL(hack.String(command.Payload[1:])) {
+			c.filteredCmds++
+			return false
+		}
 	}
 	select {
 	case c.cmdCh <- command:
diff --git a/pkg/sqlreplay/capture/capture_test.go b/pkg/sqlreplay/capture/capture_test.go
@@ -265,3 +265,58 @@ func TestQuit(t *testing.T) {
 	require.Equal(t, 1, strings.Count(data, "# Cmd_type: Quit"))
 	require.Equal(t, uint64(3), cpt.capturedCmds)
 }
+
+func TestFilterCmds(t *testing.T) {
+	tests := []struct {
+		packet  []byte
+		want    string
+		notWant string
+	}{
+		{
+			packet: pnet.MakeChangeUser(&pnet.ChangeUserReq{
+				User: "root",
+				DB:   "test",
+			}, 0),
+			want:    pnet.ComResetConnection.String(),
+			notWant: pnet.ComChangeUser.String(),
+		},
+		{
+			packet:  append([]byte{pnet.ComQuery.Byte()}, []byte("CREATE USER u1 IDENTIFIED BY '123456'")...),
+			notWant: "123456",
+		},
+		{
+			packet: append([]byte{pnet.ComQuery.Byte()}, []byte("select 1")...),
+			want:   "select 1",
+		},
+	}
+
+	cfg := CaptureConfig{
+		Output:   t.TempDir(),
+		Duration: 10 * time.Second,
+	}
+	for i, test := range tests {
+		cpt := NewCapture(zap.NewNop())
+		writer := newMockWriter(store.WriterCfg{})
+		cfg.cmdLogger = writer
+		require.NoError(t, cpt.Start(cfg))
+		cpt.Capture(test.packet, time.Now(), 100, func() (string, error) {
+			return "init session 100", nil
+		})
+		cpt.Stop(nil)
+
+		data := string(writer.getData())
+		if len(test.want) > 0 {
+			require.Equal(t, 1, strings.Count(data, test.want), "case %d", i)
+			require.Equal(t, uint64(2), cpt.capturedCmds, "case %d", i)
+			require.Equal(t, uint64(0), cpt.filteredCmds, "case %d", i)
+		} else {
+			require.Equal(t, uint64(1), cpt.capturedCmds, "case %d", i)
+			require.Equal(t, uint64(1), cpt.filteredCmds, "case %d", i)
+		}
+		if len(test.notWant) > 0 {
+			require.Equal(t, 0, strings.Count(data, test.notWant), "case %d", i)
+		}
+
+		cpt.Close()
+	}
+}
diff --git a/pkg/sqlreplay/capture/filter.go b/pkg/sqlreplay/capture/filter.go
@@ -0,0 +1,59 @@
+// Copyright 2024 PingCAP, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package capture
+
+import (
+	"github.com/pingcap/tiproxy/pkg/util/lex"
+)
+
+var sensitiveKeywords = [][]string{
+	// contain passwords
+	{
+		"CREATE", "USER",
+	},
+	{
+		"ALTER", "USER",
+	},
+	{
+		"SET", "PASSWORD",
+	},
+	{
+		"GRANT",
+	},
+	// contain cloud storage url
+	{
+		"BACKUP",
+	},
+	{
+		"RESTORE",
+	},
+	{
+		"IMPORT",
+	},
+	// not supported yet
+	{
+		"LOAD", "DATA",
+	},
+}
+
+func IsSensitiveSQL(sql string) bool {
+	lexer := lex.NewLexer(sql)
+	keyword := lexer.NextToken()
+	if len(keyword) == 0 {
+		return false
+	}
+	for _, kw := range sensitiveKeywords {
+		if keyword != kw[0] {
+			continue
+		}
+		if len(kw) <= 1 {
+			return true
+		}
+		keyword = lexer.NextToken()
+		if keyword == kw[1] {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/sqlreplay/capture/filter_test.go b/pkg/sqlreplay/capture/filter_test.go
@@ -0,0 +1,30 @@
+// Copyright 2024 PingCAP, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package capture
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSenstiveSQL(t *testing.T) {
+	tests := []struct {
+		sql       string
+		sensitive bool
+	}{
+		{`SELECT * FROM table_name`, false},
+		{`grant ALL PRIVILEGES ON database_name.* TO 'username'@'localhost' IDENTIFIED BY 'password'`, true},
+		{`CREATE USER 'new_user'@'localhost' IDENTIFIED BY 'secure_password';`, true},
+		{` ALTER USER 'existing_user'@'localhost' IDENTIFIED BY 'new_password'`, true},
+		{`/*hello */set PASSWORD FOR 'username'@'localhost' = PASSWORD('new_password');`, true},
+		{`set global anything = 'hello' `, false},
+		{``, false},
+		{`set`, false},
+	}
+
+	for i, test := range tests {
+		require.Equal(t, test.sensitive, IsSensitiveSQL(test.sql), "case %d", i)
+	}
+}
diff --git a/pkg/sqlreplay/replay/replay.go b/pkg/sqlreplay/replay/replay.go
@@ -15,7 +15,6 @@ import (
 	"github.com/pingcap/tiproxy/lib/util/errors"
 	"github.com/pingcap/tiproxy/lib/util/waitgroup"
 	"github.com/pingcap/tiproxy/pkg/proxy/backend"
-	pnet "github.com/pingcap/tiproxy/pkg/proxy/net"
 	"github.com/pingcap/tiproxy/pkg/sqlreplay/cmd"
 	"github.com/pingcap/tiproxy/pkg/sqlreplay/conn"
 	"github.com/pingcap/tiproxy/pkg/sqlreplay/report"
@@ -169,12 +168,6 @@ func (r *replay) readCommands(ctx context.Context) {
 			r.Stop(err)
 			break
 		}
-		// Replayer always uses the same username. It has no passwords for other users.
-		// TODO: clear the session states.
-		if command.Type == pnet.ComChangeUser {
-			r.filteredCmds++
-			continue
-		}
 		if captureStartTs.IsZero() {
 			// first command
 			captureStartTs = command.StartTs
diff --git a/pkg/sqlreplay/replay/replay_test.go b/pkg/sqlreplay/replay/replay_test.go
@@ -168,7 +168,7 @@ func TestProgress(t *testing.T) {
 	}
 	defer loader.Close()
 
-	cmdCh := make(chan *cmd.Command, 10)
+	cmdCh := make(chan *cmd.Command)
 	replay := NewReplay(zap.NewNop())
 	defer replay.Close()
 	cfg := ReplayConfig{
diff --git a/pkg/util/lex/lex.go b/pkg/util/lex/lex.go
@@ -0,0 +1,76 @@
+// Copyright 2024 PingCAP, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package lex
+
+type Lexer struct {
+	sql      string
+	curToken []byte
+	curIdx   int
+}
+
+func NewLexer(sql string) *Lexer {
+	return &Lexer{
+		sql:      sql,
+		curToken: make([]byte, 0, 100),
+	}
+}
+
+// It only returns uppercased identifiers and keywords. It's used to search for some specified keywords.
+// It doesn't need to strict but it needs to be fast enough.
+func (l *Lexer) NextToken() string {
+	l.curToken = l.curToken[:0]
+	inSingleLineComment, inMultiLineComment, inSingleQuote, inDoubleQuote := false, false, false, false
+	for ; l.curIdx < len(l.sql); l.curIdx++ {
+		char := l.sql[l.curIdx]
+		switch {
+		case inSingleLineComment:
+			if char == '\n' {
+				inSingleLineComment = false
+			}
+		case inMultiLineComment:
+			if char == '*' {
+				if l.curIdx+1 < len(l.sql) && l.sql[l.curIdx+1] == '/' {
+					inMultiLineComment = false
+					l.curIdx++
+				}
+			}
+		case inSingleQuote:
+			if char == '\\' {
+				l.curIdx++
+			} else if char == '\'' {
+				inSingleQuote = false
+			}
+		case inDoubleQuote:
+			if char == '\\' {
+				l.curIdx++
+			} else if char == '"' {
+				inDoubleQuote = false
+			}
+		case char == '-' && l.curIdx+1 < len(l.sql) && l.sql[l.curIdx+1] == '-':
+			l.curIdx++
+			inSingleLineComment = true
+		case char == '/' && l.curIdx+1 < len(l.sql) && l.sql[l.curIdx+1] == '*':
+			l.curIdx++
+			inMultiLineComment = true
+		case char == '\'':
+			inSingleQuote = true
+		case char == '"':
+			inDoubleQuote = true
+		case char >= 'a' && char <= 'z':
+			l.curToken = append(l.curToken, char-'a'+'A')
+		case char >= 'A' && char <= 'Z' || char == '_':
+			l.curToken = append(l.curToken, char)
+		default:
+			if len(l.curToken) > 0 {
+				l.curIdx++
+				return string(l.curToken)
+			}
+		}
+	}
+
+	if len(l.curToken) > 0 {
+		return string(l.curToken)
+	}
+	return ""
+}
diff --git a/pkg/util/lex/lex_test.go b/pkg/util/lex/lex_test.go
@@ -0,0 +1,59 @@
+// Copyright 2024 PingCAP, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package lex
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNextToken(t *testing.T) {
+	tests := []struct {
+		sql    string
+		tokens []string
+	}{
+		{
+			sql:    `SELECT * FROM table_name`,
+			tokens: []string{"SELECT", "FROM", "TABLE_NAME"},
+		},
+		{
+			sql: `-- comment
+			/* comment * / "
+			*/ SELECT
+	  		-- comment
+			(*)
+			FROM table_name`,
+			tokens: []string{"SELECT", "FROM", "TABLE_NAME"},
+		},
+		{
+			sql: ` SELECT
+			"string /* */
+			" * 'string'
+			FROM '"' "'" '\\' '\'' (table_name)`,
+			tokens: []string{"SELECT", "FROM", "TABLE_NAME"},
+		},
+		{
+			sql:    ` select 123.4e-5 / (1 - 0.9) + @@hello_world 中文`,
+			tokens: []string{"SELECT", "E", "HELLO_WORLD"},
+		},
+		{
+			sql:    `sEleCt ** from; t5ble_name`,
+			tokens: []string{"SELECT", "FROM", "T", "BLE_NAME"},
+		},
+	}
+
+	for i, test := range tests {
+		l := NewLexer(test.sql)
+		tokens := make([]string, 0, len(test.tokens))
+		for {
+			token := l.NextToken()
+			if len(token) == 0 {
+				break
+			}
+			tokens = append(tokens, token)
+		}
+		require.Equal(t, test.tokens, tokens, "case %d", i)
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -168,7 +168,7 @@ func TestProgress(t *testing.T) {`
`168`	`168`	`}`
`169`	`169`	`defer loader.Close()`
`170`	`170`
`171`		`- cmdCh := make(chan *cmd.Command, 10)`
	`171`	`+ cmdCh := make(chan *cmd.Command)`
`172`	`172`	`replay := NewReplay(zap.NewNop())`
`173`	`173`	`defer replay.Close()`
`174`	`174`	`cfg := ReplayConfig{`