Fix | Reenable SqlBulkCopy in least-privilege environments#4306
Fix | Reenable SqlBulkCopy in least-privilege environments#4306edwardneal wants to merge 13 commits into
Conversation
mdaigle
added
the
Hotfix 7.0.2
* Add an UnescapedName property to DatabaseObject and use it in XEventsTracingTest. * Create ServerLogin primitive. * Create DatabaseUser primitive.
This makes DatabaseUser simpler to work with. It can store a reference to the database the user should be created in, and the class can handle switching to/from that database.
Fix bug by checking HAS_PERMS_BY_NAME over the sys.all_columns view. This is safe on all supported platforms (including Synapse Analytics dedicated and shared pools - documentation is inconsistent.) Regression tests create a low-privileged login and user in on-premise environments, then use those credentials to perform a SqlBulkCopy.
paulmedynski
force-pushed
the
fix/issue-4293
branch
from
9e71953 to
c12875c
Compare
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
mdaigle
left a comment
mdaigle
left a comment
There was a problem hiding this comment.
Still reviewing test changes.
| DECLARE @Column_Name_Query_SORT NVARCHAR(MAX); | ||
| DECLARE @Column_Name_Query NVARCHAR(MAX); | ||
| DECLARE @Column_Names NVARCHAR(MAX) = NULL; | ||
| DECLARE @Has_Permissions INT = HAS_PERMS_BY_NAME('{catalogNameStringLiteral}.[sys].[all_columns]', 'OBJECT', 'SELECT'); |
There was a problem hiding this comment.
✏️
| DECLARE @Has_Permissions INT = HAS_PERMS_BY_NAME('{catalogNameStringLiteral}.[sys].[all_columns]', 'OBJECT', 'SELECT'); | |
| DECLARE @Has_Sys_All_Columns_Permissions INT = HAS_PERMS_BY_NAME('{catalogNameStringLiteral}.[sys].[all_columns]', 'OBJECT', 'SELECT'); |
There was a problem hiding this comment.
No objection here, but I'll change this once the rest of the PR review is complete.
edwardneal
left a comment
edwardneal
left a comment
There was a problem hiding this comment.
Early responses and some additional commentary on the tests.
| DECLARE @Column_Name_Query_SORT NVARCHAR(MAX); | ||
| DECLARE @Column_Name_Query NVARCHAR(MAX); | ||
| DECLARE @Column_Names NVARCHAR(MAX) = NULL; | ||
| DECLARE @Has_Permissions INT = HAS_PERMS_BY_NAME('{catalogNameStringLiteral}.[sys].[all_columns]', 'OBJECT', 'SELECT'); |
There was a problem hiding this comment.
No objection here, but I'll change this once the rest of the PR review is complete.
| /// The type of the internal state accessible to derived types at the point of object creation | ||
| /// via the <see cref="State"/> property. | ||
| /// </typeparam> | ||
| public abstract class DatabaseObject<TState> : IDisposable |
There was a problem hiding this comment.
This is designed to solve a specific problem: generically passing state to a database object, if that state is required in order to create it. A database user is one example, but another example may be passing column encryption keys for creating Always Encrypted tables, or certificates for creating column encryption keys.
We can't just a property to do this - the base class' constructor will run first and try to create the object before the property is set.
| SqlConnectionStringBuilder tcpConnectionBuilder = new(DataTestUtility.TCPConnectionString) | ||
| { | ||
| IntegratedSecurity = false, | ||
| UserID = _unprivilegedLogin.UnescapedName, |
There was a problem hiding this comment.
This requirement for the unescaped name uses identical logic to XEventsTracingTest (and a few other places which are yet to have the RAII object retrofitted) so I added it to the DatabaseObject<TState> base class.
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR improves SqlBulkCopy behavior when the caller lacks permissions to read sys.all_columns, adding permission-gated alias/hidden-column support and new manual tests/fixtures for unprivileged-login scenarios.
Changes:
- Gate
sys.all_columnsaccess inSqlBulkCopy.CreateInitialQuery()viaHAS_PERMS_BY_NAME, falling back to*when metadata access is denied. - Add manual tests that create an unprivileged SQL login/user and validate bulk copy behavior with/without column aliases.
- Add test infrastructure: generic
DatabaseObject<TState>, transientServerLogin/DatabaseUser, and server-role/auth-mode helpers.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Microsoft.Data.SqlClient/tests/ManualTests/TracingTests/XEventsTracingTest.cs | Switches to UnescapedName helper for SP name normalization in tracing verification. |
| src/Microsoft.Data.SqlClient/tests/ManualTests/Extensions/CodeAnalysis.netfx.cs | Adds a NETFRAMEWORK-only MemberNotNullAttribute shim for nullability annotations. |
| src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/DataTestUtility.cs | Adds cached role/auth-mode checks and helpers used to gate new manual tests. |
| src/Microsoft.Data.SqlClient/tests/ManualTests/BulkCopy/UnprivilegedLogin.cs | Introduces manual tests that run bulk copy under an unprivileged SQL login. |
| src/Microsoft.Data.SqlClient/tests/ManualTests/BulkCopy/CopyAllFromReader.cs | Updates expected tracing counter values. |
| src/Microsoft.Data.SqlClient/tests/Common/Fixtures/DatabaseObjects/ServerLogin.cs | Adds transient server-login fixture (create/drop) for tests. |
| src/Microsoft.Data.SqlClient/tests/Common/Fixtures/DatabaseObjects/DatabaseUser.cs | Adds transient database-user fixture (create/drop) for tests. |
| src/Microsoft.Data.SqlClient/tests/Common/Fixtures/DatabaseObjects/DatabaseObject.cs | Refactors fixture base class to DatabaseObject<TState> and adds UnescapedName. |
| src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlBulkCopy.cs | Adds metadata-permission gating and alias behavior changes in initial query generation. |
| DECLARE @Column_Name_Query_SORT NVARCHAR(MAX); | ||
| DECLARE @Column_Name_Query NVARCHAR(MAX); | ||
| DECLARE @Column_Names NVARCHAR(MAX) = NULL; | ||
| DECLARE @Has_Permissions INT = HAS_PERMS_BY_NAME('{catalogNameStringLiteral}.[sys].[all_columns]', 'OBJECT', 'SELECT'); |
| using SqlCommand command = new("SELECT IS_SRVROLEMEMBER(@role)", connection); | ||
|
|
||
| connection.Open(); | ||
| command.Parameters.AddWithValue("@role", roleName); |
There was a problem hiding this comment.
That's fine. @role is used as the first parameter to IS_SRVROLEMEMBER, which is defined as sysname - an nvarchar(128).
| Random rnd = new(); | ||
|
|
||
| for(int i = 0; i < 5; i++) | ||
| { | ||
| passwordDigits[i] = (char)(UpperCaseStart + rnd.Next(26)); | ||
| } |
There was a problem hiding this comment.
That's fair. I'll change this at the same time as I rename the @Has_Permissions variable.
github-project-automation
Bot
moved this from In review
to Waiting for customer
in SqlClient Board
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4306 +/- ##
==========================================
- Coverage 65.39% 63.49% -1.91%
==========================================
Files 285 280 -5
Lines 43331 66201 +22870
==========================================
+ Hits 28337 42032 +13695
- Misses 14994 24169 +9175
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Head branch was pushed to by a user without write access
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
paulmedynski
left a comment
paulmedynski
left a comment
There was a problem hiding this comment.
Over all looks good. Asking for a few clarifications.
| /// <param name="database">The name of the database where the user will be created.</param> | ||
| /// <param name="login">The server login which the database user will be associated with.</param> | ||
| public DatabaseUser(SqlConnection connection, string database, ServerLogin login) | ||
| : base(connection, login.Name, $"FOR LOGIN {login.Name}", database, shouldCreate: true, shouldDrop: true) |
There was a problem hiding this comment.
I think it would help to always name the state: argument since it's type varies. It isn't obvious here that database is the state argument.
There was a problem hiding this comment.
Also, seeing how state is used here, I'm not sure why it is called "State". I'm not sure what concept is the type parameter <TState> represents.
There was a problem hiding this comment.
There are a few situations where we need to make specific information available to CreateObject which isn't part of the object definition. The issue is that this is called from the constructor of DatabaseObject, so any attempt to set the property in the derived class will come too late. Passing a state parameter down means that DatabaseObject can set the State property, then call CreateObject.
In the case of DatabaseUser, that state is the database name because CreateObject needs to switch to the specified database, issue the CREATE USER command, then switch back to the connection's original database.
|
|
||
| private void ExecuteCommandInDatabase(SqlCommand command) | ||
| { | ||
| string? originalDatabase = DatabaseName == command.Connection.Database ? null : command.Connection.Database; |
There was a problem hiding this comment.
Can you add comments explaining why we're comparing our DatabaseName to the connection's current database, and then swapping it around below?
| [ConditionalFact(nameof(CanRunTests))] | ||
| public void BulkCopyWithoutMetadataPermission_Succeeds() | ||
| { | ||
| AssertEnvironmentCreated(); |
There was a problem hiding this comment.
Interesting. I think all this is really doing is allowing you to access the instance members as though they are non-nullable (i.e. no null checks or ! everywhere).
We don't really need to test that xUnit behaves as documented. It will never execute a test method whose conditional isn't met, so at this point we know the constructor ran and the instance members aren't null.
I agree that this is a good approach to avoid the null clutter though.
There was a problem hiding this comment.
That's correct - this is a two-part solution.
[MemberNotNull]clears away the variables' nullability annotation warnings for any method which calls it first.Assert.NotNull's parameter is annotated with[NotNull], which eliminates the compile error which would otherwise occur (because an empty method means that control flow leaves the method without explicitly setting the variables to a non-null value.)
|
|
||
| nodeCopy.DestinationTableName = dstTable.Name; | ||
| nodeCopy.ColumnMappings.Add("Description", "Description"); | ||
| nodeCopy.WriteToServer(srcDataTable); |
There was a problem hiding this comment.
Should we confirm that the destination received the data we expect?
| using SqlConnection connection = new(TCPConnectionString); | ||
|
|
||
| connection.Open(); | ||
| using SqlCommand command = new("EXEC xp_instance_regread N'HKEY_LOCAL_MACHINE', N'Software\\Microsoft\\MSSQLServer\\MSSQLServer', N'LoginMode'", connection); |
There was a problem hiding this comment.
Wow that works on a Linux SQL Server?
There was a problem hiding this comment.
Yes - SQL Server's PAL virtualises this
| #nullable enable | ||
|
|
||
| [AttributeUsage(AttributeTargets.Method | AttributeTargets.Property, Inherited = false, AllowMultiple = true)] | ||
| internal sealed class MemberNotNullAttribute : Attribute |
There was a problem hiding this comment.
Can you document what this does, when it's used, and why we need it for .NET Framework?
paulmedynski
left a comment
paulmedynski
left a comment
There was a problem hiding this comment.
Whoops, forgot to choose Request changes.
github-project-automation
Bot
moved this from In review
to Waiting for customer
in SqlClient Board
Head branch was pushed to by a user without write access
Description
SqlBulkCopy has traditionally only normally required SELECT and INSERT permissions over the table being copied to (src). However, recent additions to the class also required SELECT permissions over the
[sys].[all_columns]metadata view. These permissions are present by default but are sometimes removed as part of SQL Server hardening.This change to the permissions contract was unintentional, the failure of SqlBulkCopy in least-privilege environments which only grant SELECT & INSERT permissions was a bug. This PR resolves the bug by guarding all access to the metadata view behind a simple
HAS_PERMS_BY_NAMEcheck.As a result of this change, least-privilege environments will be unable to use the newer features introduced in #3677 and #3590. I think this is unavoidable - there's no way to implement the features safely without access to the metadata view.
HAS_PERMS_BY_NAMEis documented here as being supported in SQL Server, Azure SQL, managed instances and Fabric. It doesn't document support for two platforms: Azure Synapse Analytics, and APS/PDW. However, other documentation confirms that Azure Synapse Serverless pools support this function, and testing against a dedicated pool confirms that this does too. Furthermore, the APS/PDW 2016 release notes explicitly document the introduction of this function.I've chosen to use this approach because wrapping metadata access in a
TRY/CATCHblock won't work - whenXACT_ABORTis enabled, even a caught exception will result in the wrapping transaction being doomed, and Synapse doesn't allow this option to be temporarily turned off.Issues
Fixes #4293.
Testing
Existing SqlBulkCopy tests continue to pass. I've added two new tests which build a low-privileged environment, then run a bulk copy inside it. They verify that the copy succeeds, but also that the newer alias-based functionality is unavailable.
As part of this, I've added
ServerLoginandDatabaseUserprimitives. The latter primitive highlighted the need for some form of state (the database in which we create the user) to be made available at the point of creation, so I've added this.This widened test infrastructure and more complex testing accounts for about 3/4 of the changes in this PR.
Could someone start a CI run please?