gcp-sql-mysql-local_infile-on¶
Ensure MySQL database 'local_infile' flag is set to 'off'
It is recommended to disable dangerous features of MySQL such as LOAD DATA LOCAL as they could allow an attacker to read arbitrary file on the server-side and potentially access sensitive data.
Examples¶
Insecure Example
resource "google_sql_database_instance" "mydb" {
database_version = "MYSQL_8_0"
name = "mydb"
project = "some-project"
region = "us-central1"
settings {
activation_policy = "ALWAYS"
availability_type = "ZONAL"
backup_configuration {
binary_log_enabled = "true"
enabled = "true"
location = "us"
point_in_time_recovery_enabled = "false"
start_time = "18:00"
}
crash_safe_replication = "false"
database_flags {
name = "local_infile"
value = "on"
}
disk_autoresize = "true"
disk_size = "10"
disk_type = "PD_SSD"
ip_configuration {
ipv4_enabled = "true"
require_ssl = "false"
}
location_preference {
zone = "us-central1-a"
}
maintenance_window {
day = "0"
hour = "0"
}
pricing_plan = "PER_USE"
replication_type = "SYNCHRONOUS"
tier = "db-n1-standard-1"
}
}
Secure Example
resource "google_sql_database_instance" "mydb" {
database_version = "MYSQL_8_0"
name = "mydb"
project = "some-project"
region = "us-central1"
settings {
activation_policy = "ALWAYS"
availability_type = "ZONAL"
backup_configuration {
binary_log_enabled = "true"
enabled = "true"
location = "us"
point_in_time_recovery_enabled = "false"
start_time = "18:00"
}
crash_safe_replication = "false"
database_flags {
name = "local_infile"
value = "off" # This feature is disabled by default, so it can just be omitted
}
disk_autoresize = "true"
disk_size = "10"
disk_type = "PD_SSD"
ip_configuration {
ipv4_enabled = "true"
require_ssl = "false"
}
location_preference {
zone = "us-central1-a"
}
maintenance_window {
day = "0"
hour = "0"
}
pricing_plan = "PER_USE"
replication_type = "SYNCHRONOUS"
tier = "db-n1-standard-1"
}
}