WL#16482: mysqldump blindly trusting SHOW CREATE TABLE leads

  to arbitrary code execution.

9.x version

Introduced a --[skip-]system-command command line/config file option
for the mysql binary.
Type: boolean
Default: OFF

When a system command or the abbreviated \! is specified, an error will
be printed and the command won't be executed. Unless --system-command
is passed on the mysql's command line

Test case added.

Change-Id: Ied3ade8e0a54cf3ce5ce7c328c15341faf5e2f1f

Author: gkodinov

client/mysql.cc

@@ -251,6 +251,8 @@ static char *opt_register_factor = nullptr;
 static bool opt_tel_plugin = false;
 static const char *opt_tel_plugin_name = "telemetry_client";
 
+static bool opt_system_command = false;
+
 static struct my_option my_empty_options[] = {
     {nullptr, 0, nullptr, nullptr, nullptr, nullptr, GET_NO_ARG, NO_ARG, 0, 0,
      0, nullptr, 0, nullptr}};
@@ -429,7 +431,8 @@ static COMMANDS commands[] = {
      "Execute an SQL script file. Takes a file name as an argument."},
     {"status", 's', com_status, false,
      "Get status information from the server."},
-    {"system", '!', com_shell, true, "Execute a system shell command."},
+    {"system", '!', com_shell, true,
+     "Execute a system shell command, if enabled"},
     {"tee", 'T', com_tee, true,
      "Set outfile [to_outfile]. Append everything into given outfile."},
     {"use", 'u', com_use, true,
@@ -2086,6 +2089,10 @@ static struct my_option my_long_options[] = {
      "Specifies factor for which registration needs to be done for.",
      &opt_register_factor, &opt_register_factor, nullptr, GET_STR, REQUIRED_ARG,
      0, 0, 0, nullptr, 0, nullptr},
+    {"system-command", 0,
+     "Enable or disable (by default) the 'system' mysql command.",
+     &opt_system_command, &opt_system_command, nullptr, GET_BOOL, NO_ARG, 0, 0,
+     0, nullptr, 0, nullptr},
     {nullptr, 0, nullptr, nullptr, nullptr, nullptr, GET_NO_ARG, NO_ARG, 0, 0,
      0, nullptr, 0, nullptr}};
 
@@ -4501,6 +4508,13 @@ static int com_shell(String *buffer [[maybe_unused]],
     put_info("Usage: \\! shell-command", INFO_ERROR);
     return -1;
   }
+
+  if (!opt_system_command) {
+    return put_info(
+        "'system' command received, but the --system-command option is off. "
+        "Skipping.",
+        INFO_ERROR);
+  }
   /*
     The output of the shell command does not
     get directed to the pager or the outfile

mysql-test/r/mysql.result

@@ -603,5 +603,15 @@ what
 what
 8check if delimiter is restored
 # Cleanup
+#
+# Bug # 36377685: mysqldump blindly trusting SHOW CREATE TABLE leads to
+#   arbitrary code execution.
+#
+# Test "system": Must return an error
+ERROR at line 1: 'system' command received, but the --system-command option is off. Skipping.
+# Test "!": Must return an error
+ERROR at line 1: 'system' command received, but the --system-command option is off. Skipping.
+# Test "system": Must pass
+Hello World
 
 End of tests

mysql-test/t/mysql.test

@@ -1,4 +1,5 @@
-#
+
+
 # Testing the MySQL command line client(mysql)
 #
 
@@ -761,7 +762,21 @@ exec $MYSQL < $MYSQLTEST_VARDIR/tmp/bug35290350.sql;
 --echo # Cleanup
 remove_file $MYSQLTEST_VARDIR/tmp/bug35290350.sql;
 
+--echo #
+--echo # Bug # 36377685: mysqldump blindly trusting SHOW CREATE TABLE leads to
+--echo #   arbitrary code execution.
+--echo #
+
+--echo # Test "system": Must return an error
+--error 1
+--exec $MYSQL test -e "system ls;" 2>&1
+
+--echo # Test "!": Must return an error
+--error 1
+--exec $MYSQL test -e "\\! ls" 2>&1
 
+--echo # Test "system": Must pass
+--exec $MYSQL test --system-command -e "system echo Hello World;" 2>&1
 
 --echo
 --echo End of tests

mysql-test/t/mysql_system_cmd_unix.test

@@ -3,9 +3,9 @@
 # Check that the mysql client's system command(\! in short) can execute
 # commands on the command interpreter through which the client is invoked
 # and that it can use the latter's STDIN, STDOUT and STDERR streams.
---exec $MYSQL test -e "system echo From_system_to_STDOUT" 2>&1
---exec $MYSQL test -e "\\! echo From_\\\\!_to_STDOUT" 2>&1
---exec $MYSQL test -e "system echo From_system_to_STDERR >> /dev/stderr" 2>&1
---exec $MYSQL test -e "\\! echo From_\\\\!_to_STDERR >> /dev/stderr" 2>&1
---exec echo "From_STDIN_to_system" |  $MYSQL test -e "system cat" 2>&1
---exec echo "From_STDIN_to_\\!" |  $MYSQL test -e "\\! cat" 2>&1
+--exec $MYSQL --system-command test -e "system echo From_system_to_STDOUT" 2>&1
+--exec $MYSQL --system-command test -e "\\! echo From_\\\\!_to_STDOUT" 2>&1
+--exec $MYSQL --system-command test -e "system echo From_system_to_STDERR >> /dev/stderr" 2>&1
+--exec $MYSQL --system-command test -e "\\! echo From_\\\\!_to_STDERR >> /dev/stderr" 2>&1
+--exec echo "From_STDIN_to_system" |  $MYSQL test --system-command -e "system cat" 2>&1
+--exec echo "From_STDIN_to_\\!" |  $MYSQL test --system-command -e "\\! cat" 2>&1

mysql-test/t/mysql_win32_system.test

@@ -4,8 +4,8 @@
 --echo # WL#13391: Enable the "system" mysql command line command for windows
 --echo #
 
---exec $MYSQL test -e "system echo haha" 2>&1
---exec $MYSQL test -e "\\! echo hihi" 2>&1
---exec $MYSQL test -e "system rmdir \\"$MYSQL_TMP_DIR\\non_existent_dir\\"" 2>&1
+--exec $MYSQL test --system-command -e "system echo haha" 2>&1
+--exec $MYSQL test --system-command -e "\\! echo hihi" 2>&1
+--exec $MYSQL test --system-command -e "system rmdir \\"$MYSQL_TMP_DIR\\non_existent_dir\\"" 2>&1
 
 --echo # End of 8.0 tests