Skip to content

Instantly share code, notes, and snippets.

@lefred
Last active February 19, 2021 07:59

Revisions

  1. lefred revised this gist Feb 3, 2017. No changes.
  2. lefred created this gist Feb 3, 2017.
    103 changes: 103 additions & 0 deletions maskit.sh
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,103 @@
    !#/bin/bash

    # date 2017-01-23

    proxy_user=admin
    proxy_pwd=admin
    proxy_port=6032
    proxy_host=127.0.0.1

    username=devel

    which mysqladmin >/dev/null 2>&1
    if [ $? -ne 0 ]
    then
    echo "mysql client is not found in path, please install..."
    exit 2
    fi


    if [ $# -eq 0 ]
    then
    echo "$0 requires options:"
    echo " -c to specify a column,"
    echo " -t to specify a table where select * is not allowed"
    exit 1
    fi

    while getopts ":c:t:" opt
    do
    case $opt in
    c)
    echo "column: $OPTARG"
    COLUMN=$OPTARG
    ;;
    t)
    echo "table: $OPTARG"
    TABLE=$OPTARG
    ;;
    \?)
    echo "Invalid option: -$OPTARG"
    exit 1
    ;;
    :)
    echo "Option -$OPTARG requires an argument."
    exit 1
    ;;
    esac
    done

    #check the column rules
    if [ "$COLUMN" != "" ]
    then
    # we don't perform check (yet) so watchout for duplicates
    mysql -BN -u ${proxy_user} -p${proxy_pwd} -h ${proxy_host} -P${proxy_port} \
    -e "INSERT INTO mysql_query_rules
    (active,username,match_pattern,replace_pattern,apply,re_modifiers)
    VALUES
    (1,'${username}','\`*${COLUMN}*\`','${COLUMN}',0,'caseless,global'),
    (1,'${username}','(\(?)(\`?\w+\`?\.)?${COLUMN}(\)?)([ ,\n])',\"\1CONCAT(LEFT(\2${COLUMN},2),REPEAT('X',10))\3 ${COLUMN}\4\",0,'caseless,global'),
    (1,'${username}','\)(\)?) ${COLUMN}\s+(\w),',')\1 \2,',1,'caseless,global'),
    (1,'${username}','\)(\)?) ${COLUMN}\s+(.*)\s+from',')\1 \2 from',1,'caseless,global');"

    fi

    # check if we need to add a rule to avoid select * in a table
    if [ "$TABLE" != "" ]
    then
    # connect to proxysql and check is a rule already exists
    echo $(mysql -BN -u ${proxy_user} -p${proxy_pwd} -h ${proxy_host} -P${proxy_port} \
    -e "select rule_id,active from mysql_query_rules where match_pattern like '^SELECT \*.*FROM.*${TABLE}';" 2>/dev/null) | while read rule_id active
    do
    if [ "$rule_id" != "" ]
    then
    echo -n "there is already a rule : rule_id = $rule_id "
    if [ "$active" == "1" ]
    then
    echo "[active]"
    else
    echo "[inactive]"
    # we need to activate it
    mysql -BN -u ${proxy_user} -p${proxy_pwd} -h ${proxy_host} -P${proxy_port} \
    -e "update mysql_query_rules set active=1 where rule_id=$rule_id"
    fi
    else
    echo "let's add the rules..."
    mysql -BN -u ${proxy_user} -p${proxy_pwd} -h ${proxy_host} -P${proxy_port} \
    -e "INSERT INTO mysql_query_rules (active,username,match_pattern,error_msg,re_modifiers)
    VALUES (1,'${username}','^SELECT\s+\*.*FROM.*${TABLE}',
    'Query not allowed due to sensitive information, please contact [email protected]','caseless,global' );"
    mysql -BN -u ${proxy_user} -p${proxy_pwd} -h ${proxy_host} -P${proxy_port} \
    -e "INSERT INTO mysql_query_rules (active,username,match_pattern,error_msg,re_modifiers)
    VALUES (1,'${username}','^SELECT\s+${TABLE}\.\*.*FROM.*${TABLE}',
    'Query not allowed due to sensitive information, please contact [email protected]','caseless,global' );"
    mysql -BN -u ${proxy_user} -p${proxy_pwd} -h ${proxy_host} -P${proxy_port} \
    -e "INSERT INTO mysql_query_rules (active,username,match_pattern,error_msg,re_modifiers)
    VALUES (1,'${username}','^SELECT\s+(\w+)\.\*.*FROM.*${TABLE}\s+(as\s+)?(\1)',
    'Query not allowed due to sensitive information, please contact [email protected]','caseless,global' );"
    fi
    done
    fi

    mysql -BN -u ${proxy_user} -p${proxy_pwd} -h ${proxy_host} -P${proxy_port} \
    -e "set mysql-query_processor_regex=1; load mysql variables to runtime; load mysql query rules to runtime;"