Headline
CVE-2023-29194: [Backport] Update topo {Get,Create}Keyspace to prevent invalid keyspa… · vitessio/vitess@adf1019
Vitess is a database clustering system for horizontal scaling of MySQL. Users can either intentionally or inadvertently create a keyspace containing / characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using vtctldclient GetKeyspaces will also return an error. Note that all other keyspaces can still be administered using the CLI (vtctldclient). This issue is fixed in version 16.0.1. As a workaround, delete the offending keyspace using a CLI client (vtctldclient).
Permalink
Browse files
[Backport] Update topo {Get,Create}Keyspace to prevent invalid keyspa…
…ce names (#12732) (#12771)
* Update topo {Get,Create}Keyspace to prevent invalid keyspace names (#12732)
* Update topo {Get,Create}Keyspace to prevent invalid keyspace names
Signed-off-by: Andrew Mason andrew@planetscale.com
* embarrassing
Signed-off-by: Andrew Mason andrew@planetscale.com
* docs, release notes
Signed-off-by: Andrew Mason andrew@planetscale.com
* only validate, do not correct
Signed-off-by: Andrew Mason andrew@planetscale.com
* broader restrictions via allow-list
Signed-off-by: Andrew Mason andrew@planetscale.com
* Revert “broader restrictions via allow-list”
This reverts commit 5354d4f.
Signed-off-by: Andrew Mason andrew@planetscale.com
* tighten up release notes scope
Signed-off-by: Andrew Mason andrew@planetscale.com
* Update go/vt/topo/keyspace.go
Co-authored-by: Florent Poinsard 35779988+frouioui@users.noreply.github.com Signed-off-by: Andrew Mason andrew@planetscale.com
Signed-off-by: Andrew Mason andrew@planetscale.com Co-authored-by: Florent Poinsard 35779988+frouioui@users.noreply.github.com
* update notes and comments
Signed-off-by: Andrew Mason andrew@planetscale.com
Signed-off-by: Andrew Mason andrew@planetscale.com Co-authored-by: Florent Poinsard 35779988+frouioui@users.noreply.github.com
- Loading branch information
Related news
### Impact Users can either intentionally or inadvertently create a keyspace containing `/` characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using `vtctldclient GetKeyspaces` will also return an error. Note that all other keyspaces can still be administered using the CLI (vtctldclient). ### Patches v16.0.1 (corresponding to 0.16.1 on pkg.go.dev) ### Workarounds Delete the offending keyspace using a CLI client (vtctldclient) ``` vtctldclient --server ... DeleteKeyspace a/b ``` Found during a security audit sponsored by the [CNCF](https://cncf.io) and facilitated by [OSTIF](https://ostif.org).