MySQL Instance With Local Infile On

ID

gcp_mysql_instance_with_local_infile

Severity

low

Vendor

GCP

Resource

AIM

Tags

non-reachable

Description

The local_infile option in MySQL allows to load data files from the client host into a table on the server host. This can be useful for importing or exporting data using CSV files.

However, it can also pose a security risk if an attacker can trick into loading a malicious file.

To fix it, you must set 'off' or remove the local_infile flag for MYSQL databases.

Learn more about this topic at Mysql - Security Considerations for LOAD DATA LOCAL.

Examples

---
- name: create a mysql instance
  google.cloud.gcp_sql_instance:
    name: test_object
    database_version: "MYSQL"
    settings:
      tier: db-n1-standard-1
      databaseFlags:
        - name: local_infile
          value: 'on'
    region: us-central1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Mitigation / Fix

---
- name: create a mysql instance
  google.cloud.gcp_sql_instance:
    name: test_object
    database_version: "MYSQL"
    settings:
      tier: db-n1-standard-1
      databaseFlags:
        - name: local_infile
          value: 'off'
    region: us-central1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present