*: refactor the RestrictedSQLExecutor interface

[tiancaiamao]

What problem does this PR solve?

Problem Summary:

Improve security for our code.

What is changed and how it works?

The initial definition of RestrictedSQLExecutor looks like this:

type RestrictedSQLExecutor interface {
	// ExecRestrictedSQL run sql statement in ctx with some restriction.
	ExecRestrictedSQL(sql string) ([]chunk.Row, []*ast.ResultField, error)
}

It's not good for security reasons, the usage pattern looks like this:

sql  = fmt.Sprintf('select xxx from ..%s ', varFromOutside)
stmt, err = ExecRestrictedSQL(sql) 
...

Later on, we add more methods to the interface which IMO, ugly:

	// ExecRestrictedSQLWithContext run sql statement in ctx with some restriction.
	ExecRestrictedSQLWithContext(ctx context.Context, sql string, opts ...OptionFuncAlias) ([]chunk.Row, []*ast.ResultField, error)
	// ExecRestrictedSQLWithSnapshot run sql statement in ctx with some restriction and with snapshot.
	// If current session sets the snapshot timestamp, then execute with this snapshot timestamp.
	// Otherwise, execute with the current transaction start timestamp if the transaction is valid.
	ExecRestrictedSQLWithSnapshot(sql string) ([]chunk.Row, []*ast.ResultField, error)

I propose to use this one as its new definition:

type RestrictedSQLExecutor interface {
	ParseWithParams(ctx context.Context, sql string, args ...interface{}) (ast.StmtNode, error)
	ExecRestrictedStmt(ctx context.Context, stmt ast.StmtNode, opts ...OptionFuncAlias) ([]chunk.Row, []*ast.ResultField, error)
}

This interface is secure, and easy to use:

stmt  = exec.ParseWithParams('select xxx from ..%? ', varFromOutside)
res, err = ExecRestrictedSQL(stmt) 
...

What's Changed:

ParseWithParams() now returns ast.StmtNode rather than []ast.StmtNode, multiple statements are not allowed here.

Update the "util", "store", and "domain" packages, ensure they use the new (secure) API.

How it Works:

Related changes

• Need to cherry-pick to the release branch

Check List

Tests

• No code

Side effects

• Breaking backward compatibility
  API change

Release note

• No release note

[xhebox]

What is the reason to remove it in the interface?

[tiancaiamao]

The external SQL all use ExecuteStmt or ExecutePrepared ...

And we have the ExecuteInternal for internal SQL already, and also the RestrictedSQLExecutor, there is no need to include this method in the interface.

[morgo]

Do we know that we can convert most uses of Execute to ExecuteInternal safely? My understanding is that ExecuteInternal is similar to Restricted, which is that it does not binary log, runs in the server permissions etc.

If we expect that COM_QUERY is the only valid case of "Execute", then that's fine. It is already switched over to ExecuteStmt (as you mention).

[xhebox]

OK, but you still leave it in the RestrictedSQLExecutor interface. I would like both-existing or both-none.

And you can completely extract SQL execution methods into another subinterface... Session could embed all sql executor interfaces,

[tiancaiamao]

We can clean up the code after the refactor finish:

Step1: introduce the new API for RestrictedSQLExecutor
Step2: use the new API to replace the old one
Step3: remove the old API

We can embed RestrictedSQLExecutor into the Session interface like this:

type Session  interface {
    RestrictedSQLExecutor
    ...
}

Keep each interface small and composable.... after we clean the usage of the old ones.

[xhebox]

Sweet!

[morgo]

I like it - much cleaner. Please fix CI:

[2021-01-27T13:04:04.687Z] util/admin/admin.go:302:15:	stmt.Restore(format.NewRestoreCtx(format.DefaultRestoreFlags, &sb))

[xhebox]

ParseWithParams with handle quotes for you. Adding quotes will cause problems.

[xhebox]

Rest LGTM, but you need to fix the CI error.

[xhebox]

LGTM

[morgo]

LGTM

[ti-srebot]

@morgo, Thanks for your review. The bot only counts LGTMs from Reviewers and higher roles, but you're still welcome to leave your comments. See the corresponding SIG page for more information. Related SIGs: execution(slack),sql-infra(slack).

[morgo]

If we remove ParseWithParams, this comment is now incorrect.

Btw: I discovered in one of my PRs that Parse can not be deprecated. It is important to have a Parse function which does not use placeholders so that a statement like this one can be parsed and then executed by ExecuteStmt:

mysql> select count(*) from t1 where formatted like '%ndan%';                                                                                                                                     |
ERROR 1105 (HY000): missing arguments, need 1-th arg, but only got 0 args 

[tiancaiamao]

okay, when I finish the rewrite, I'll clean up some deprecated methods and update the comment here.

[morgo]

LGTM

[ti-srebot]

@morgo, Thanks for your review. The bot only counts LGTMs from Reviewers and higher roles, but you're still welcome to leave your comments. See the corresponding SIG page for more information. Related SIGs: execution(slack),sql-infra(slack).

[tiancaiamao]

/merge

@morgo 's review is valid. pingcap/community#398

[morgo]

LGTM

[morgo]

/merge

[ti-srebot]

/run-all-tests

[ti-srebot]

cherry pick to release-4.0 in PR #22621

[xhebox]

Do we backport this to 5.0 and 4.0? If not, we can close the cherry-pick PRs. @tiancaiamao

[xhebox]

/label needs-cherry-pick-5.0-rc

[xhebox]

/run-cherry-picks

[ti-srebot]

cherry pick to release-5.0-rc in PR #22687