osquery-1/osquery/sql/sql.cpp

/*
 *  Copyright (c) 2014-present, Facebook, Inc.
 *  All rights reserved.
 *
 *  This source code is licensed under the BSD-style license found in the
 *  LICENSE file in the root directory of this source tree. An additional grant
 *  of patent rights can be found in the PATENTS file in the same directory.
 *
 */

#include <sstream>

#include <osquery/core.h>
#include <osquery/logger.h>
#include <osquery/registry.h>
#include <osquery/sql.h>
#include <osquery/tables.h>

#include "osquery/core/conversions.h"

namespace osquery {

FLAG(int32, value_max, 512, "Maximum returned row value size");

CREATE_LAZY_REGISTRY(SQLPlugin, "sql");

SQL::SQL(const std::string& q) {
  TableColumns table_columns;
  q_ = q;
  status_ = getQueryColumns(q_, table_columns);
  if (status_.ok()) {
    for (auto c : table_columns) {
      columns_.push_back(std::get<0>(c));
    }
    status_ = query(q_, results_);
  }
}

const QueryData& SQL::rows() const {
  return results_;
}

const ColumnNames& SQL::columns() {
  return columns_;
}

bool SQL::ok() {
  return status_.ok();
}

const Status& SQL::getStatus() const {
  return status_;
}

std::string SQL::getMessageString() {
  return status_.toString();
}

static inline void escapeNonPrintableBytes(std::string& data) {
  std::string escaped;
  // clang-format off
  char const hex_chars[16] = {
    '0', '1', '2', '3', '4', '5', '6', '7',
    '8', '9', 'A', 'B', 'C', 'D', 'E', 'F',
  };
  // clang-format on

  bool needs_replacement = false;
  for (size_t i = 0; i < data.length(); i++) {
    if (((unsigned char)data[i]) < 0x20 || ((unsigned char)data[i]) >= 0x80) {
      needs_replacement = true;
      escaped += "\\x";
      escaped += hex_chars[(((unsigned char)data[i])) >> 4];
      escaped += hex_chars[((unsigned char)data[i] & 0x0F) >> 0];
    } else {
      escaped += data[i];
    }
  }

  // Only replace if any escapes were made.
  if (needs_replacement) {
    data = std::move(escaped);
  }
}

void escapeNonPrintableBytesEx(std::string& data) {
  return escapeNonPrintableBytes(data);
}

void SQL::escapeResults() {
  for (auto& row : results_) {
    for (auto& column : row) {
      escapeNonPrintableBytes(column.second);
    }
  }
}

QueryData SQL::selectAllFrom(const std::string& table) {
  PluginResponse response;
  Registry::call("table", table, {{"action", "generate"}}, response);
  return response;
}

QueryData SQL::selectAllFrom(const std::string& table,
                             const std::string& column,
                             ConstraintOperator op,
                             const std::string& expr) {
  PluginRequest request = {{"action", "generate"}};
  {
    // Create a fake content, there will be no caching.
    QueryContext ctx;
    ctx.constraints[column].add(Constraint(op, expr));
    TablePlugin::setRequestFromContext(ctx, request);
  }

  PluginResponse response;
  Registry::call("table", table, request, response);
  return response;
}

Status SQLPlugin::call(const PluginRequest& request, PluginResponse& response) {
  response.clear();
  if (request.count("action") == 0) {
    return Status(1, "SQL plugin must include a request action");
  }

  if (request.at("action") == "query") {
    return this->query(request.at("query"), response);
  } else if (request.at("action") == "columns") {
    TableColumns columns;
    auto status = this->getQueryColumns(request.at("query"), columns);
    // Convert columns to response
    for (const auto& column : columns) {
      response.push_back(
          {{"n", std::get<0>(column)},
           {"t", columnTypeName(std::get<1>(column))},
           {"o", INTEGER(static_cast<size_t>(std::get<2>(column)))}});
    }
    return status;
  } else if (request.at("action") == "attach") {
    // Attach a virtual table name using an optional included definition.
    return this->attach(request.at("table"));
  } else if (request.at("action") == "detach") {
    this->detach(request.at("table"));
    return Status(0, "OK");
  } else if (request.at("action") == "tables") {
    std::vector<std::string> tables;
    auto status = this->getQueryTables(request.at("query"), tables);
    if (status.ok()) {
      for (const auto& table : tables) {
        response.push_back({{"t", table}});
      }
    }
    return status;
  }
  return Status(1, "Unknown action");
}

Status query(const std::string& q, QueryData& results) {
  return Registry::call(
      "sql", "sql", {{"action", "query"}, {"query", q}}, results);
}

Status getQueryColumns(const std::string& q, TableColumns& columns) {
  PluginResponse response;
  auto status = Registry::call(
      "sql", "sql", {{"action", "columns"}, {"query", q}}, response);

  // Convert response to columns
  for (const auto& item : response) {
    columns.push_back(make_tuple(
        item.at("n"), columnTypeName(item.at("t")), ColumnOptions::DEFAULT));
  }
  return status;
}

Status mockGetQueryTables(std::string copy_q,
                          std::vector<std::string>& tables) {
  std::transform(copy_q.begin(), copy_q.end(), copy_q.begin(), ::tolower);
  auto offset_from = copy_q.find("from ");
  if (offset_from == std::string::npos) {
    return Status(1);
  }

  auto simple_tables = osquery::split(copy_q.substr(offset_from + 5), ",");
  for (const auto& table : simple_tables) {
    tables.push_back(table);
  }
  return Status(0);
}

Status getQueryTables(const std::string& q, std::vector<std::string>& tables) {
  if (!Registry::get().exists("sql", "sql") && kToolType == ToolType::TEST) {
    // We 'mock' this functionality for internal tests.
    return mockGetQueryTables(q, tables);
  }

  PluginResponse response;
  auto status = Registry::call(
      "sql", "sql", {{"action", "tables"}, {"query", q}}, response);

  for (const auto& table : response) {
    tables.push_back(table.at("t"));
  }
  return status;
}
}
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`/*`
[osquery] Update copyright headers to new format. 2016-02-11 19:48:58 +00:00			`* Copyright (c) 2014-present, Facebook, Inc.`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`* All rights reserved.`
			`*`
			`* This source code is licensed under the BSD-style license found in the`
			`* LICENSE file in the root directory of this source tree. An additional grant`
			`* of patent rights can be found in the PATENTS file in the same directory.`
			`*`
			`*/`

			`#include <sstream>`

			`#include <osquery/core.h>`
			`#include <osquery/logger.h>`
Introduce table 'attributes' (#2431) 2016-08-31 22:32:20 +00:00			`#include <osquery/registry.h>`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`#include <osquery/sql.h>`
			`#include <osquery/tables.h>`

events: Inspect schedule and improve tests (#3087) 2017-03-21 05:03:09 +00:00			`#include "osquery/core/conversions.h"`

Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`namespace osquery {`

Speed up shell and add max value size 2015-03-18 19:01:58 +00:00			`FLAG(int32, value_max, 512, "Maximum returned row value size");`

Simplify Registry and plugin concepts (#2887) 2017-01-07 20:21:35 +00:00			`CREATE_LAZY_REGISTRY(SQLPlugin, "sql");`

Add clang-format rules from 3.6 (#2360) 2016-08-15 08:33:17 +00:00			`SQL::SQL(const std::string& q) {`
Fix column order and repeated columns in distributed query (#2926) 2017-01-21 06:52:47 +00:00			`TableColumns table_columns;`
			`q_ = q;`
			`status_ = getQueryColumns(q_, table_columns);`
			`if (status_.ok()) {`
			`for (auto c : table_columns) {`
			`columns_.push_back(std::get<0>(c));`
			`}`
			`status_ = query(q_, results_);`
			`}`
Add clang-format rules from 3.6 (#2360) 2016-08-15 08:33:17 +00:00			`}`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00
Add clang-format rules from 3.6 (#2360) 2016-08-15 08:33:17 +00:00			`const QueryData& SQL::rows() const {`
			`return results_;`
			`}`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00
Fix column order and repeated columns in distributed query (#2926) 2017-01-21 06:52:47 +00:00			`const ColumnNames& SQL::columns() {`
			`return columns_;`
			`}`

Add clang-format rules from 3.6 (#2360) 2016-08-15 08:33:17 +00:00			`bool SQL::ok() {`
			`return status_.ok();`
			`}`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00
Add clang-format rules from 3.6 (#2360) 2016-08-15 08:33:17 +00:00			`const Status& SQL::getStatus() const {`
			`return status_;`
			`}`
POC for client side of distributed queries. This introduces the notion of a DistributedQueryHandler that uses a "provider" to read/write requests and results to and from the master. The full flow is exercised via integration tests, and unit tests for each component. It is intended to foster discussion around this client side interface, as well as provide a base to build from. 2015-01-23 22:52:07 +00:00
Add clang-format rules from 3.6 (#2360) 2016-08-15 08:33:17 +00:00			`std::string SQL::getMessageString() {`
			`return status_.toString();`
			`}`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00
[#1816] Refactor DB instance management 2016-02-25 01:58:58 +00:00			`static inline void escapeNonPrintableBytes(std::string& data) {`
Attempt to improve DB/query performance 2015-11-02 08:46:04 +00:00			`std::string escaped;`
Add clang-format rules from 3.6 (#2360) 2016-08-15 08:33:17 +00:00			`// clang-format off`
Attempt to improve DB/query performance 2015-11-02 08:46:04 +00:00			`char const hex_chars[16] = {`
Add clang-format rules from 3.6 (#2360) 2016-08-15 08:33:17 +00:00			`'0', '1', '2', '3', '4', '5', '6', '7',`
			`'8', '9', 'A', 'B', 'C', 'D', 'E', 'F',`
Attempt to improve DB/query performance 2015-11-02 08:46:04 +00:00			`};`
Add clang-format rules from 3.6 (#2360) 2016-08-15 08:33:17 +00:00			`// clang-format on`
Attempt to improve DB/query performance 2015-11-02 08:46:04 +00:00
			`bool needs_replacement = false;`
			`for (size_t i = 0; i < data.length(); i++) {`
[#1816] Refactor DB instance management 2016-02-25 01:58:58 +00:00			`if (((unsigned char)data[i]) < 0x20 \|\| ((unsigned char)data[i]) >= 0x80) {`
Attempt to improve DB/query performance 2015-11-02 08:46:04 +00:00			`needs_replacement = true;`
			`escaped += "\\x";`
[#1816] Refactor DB instance management 2016-02-25 01:58:58 +00:00			`escaped += hex_chars[(((unsigned char)data[i])) >> 4];`
			`escaped += hex_chars[((unsigned char)data[i] & 0x0F) >> 0];`
Attempt to improve DB/query performance 2015-11-02 08:46:04 +00:00			`} else {`
			`escaped += data[i];`
			`}`
			`}`

			`// Only replace if any escapes were made.`
			`if (needs_replacement) {`
[#1816] Refactor DB instance management 2016-02-25 01:58:58 +00:00			`data = std::move(escaped);`
Attempt to improve DB/query performance 2015-11-02 08:46:04 +00:00			`}`
			`}`

[#1816] Refactor DB instance management 2016-02-25 01:58:58 +00:00			`void escapeNonPrintableBytesEx(std::string& data) {`
			`return escapeNonPrintableBytes(data);`
			`}`

Attempt to improve DB/query performance 2015-11-02 08:46:04 +00:00			`void SQL::escapeResults() {`
			`for (auto& row : results_) {`
			`for (auto& column : row) {`
			`escapeNonPrintableBytes(column.second);`
			`}`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`}`
			`}`

			`QueryData SQL::selectAllFrom(const std::string& table) {`
Harden watcher for more perf, use exec and watch from worker 2015-02-06 17:42:03 +00:00			`PluginResponse response;`
[#1816] Refactor DB instance management 2016-02-25 01:58:58 +00:00			`Registry::call("table", table, {{"action", "generate"}}, response);`
Harden watcher for more perf, use exec and watch from worker 2015-02-06 17:42:03 +00:00			`return response;`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`}`

			`QueryData SQL::selectAllFrom(const std::string& table,`
			`const std::string& column,`
Minify tables namespace, extra CMake macros 2015-05-20 20:27:53 +00:00			`ConstraintOperator op,`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`const std::string& expr) {`
Harden watcher for more perf, use exec and watch from worker 2015-02-06 17:42:03 +00:00			`PluginRequest request = {{"action", "generate"}};`
[#1816] Refactor DB instance management 2016-02-25 01:58:58 +00:00			`{`
Introduce within-query caching (#2077) This adds a new optimization feature that allows expensive tables to cache their results between JOINs. Consider JOINing a list of open sockets, for each process, then requesting to hash each process path. This query may hash the same path multiple times. Within-query caching allows the hash table to respond with the previous result of the hash request as long as the requested computation was the result of a single query. Subsequent queries will perform subsequent hashing. 2016-05-09 17:32:33 +00:00			`// Create a fake content, there will be no caching.`
[#1816] Refactor DB instance management 2016-02-25 01:58:58 +00:00			`QueryContext ctx;`
			`ctx.constraints[column].add(Constraint(op, expr));`
			`TablePlugin::setRequestFromContext(ctx, request);`
			`}`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00
[#1816] Refactor DB instance management 2016-02-25 01:58:58 +00:00			`PluginResponse response;`
Harden watcher for more perf, use exec and watch from worker 2015-02-06 17:42:03 +00:00			`Registry::call("table", table, request, response);`
			`return response;`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`}`

Extensions integrations testing 2015-02-19 23:19:00 +00:00			`Status SQLPlugin::call(const PluginRequest& request, PluginResponse& response) {`
			`response.clear();`
			`if (request.count("action") == 0) {`
			`return Status(1, "SQL plugin must include a request action");`
			`}`

			`if (request.at("action") == "query") {`
			`return this->query(request.at("query"), response);`
			`} else if (request.at("action") == "columns") {`
Minify tables namespace, extra CMake macros 2015-05-20 20:27:53 +00:00			`TableColumns columns;`
Extensions integrations testing 2015-02-19 23:19:00 +00:00			`auto status = this->getQueryColumns(request.at("query"), columns);`
			`// Convert columns to response`
			`for (const auto& column : columns) {`
Introduce table 'attributes' (#2431) 2016-08-31 22:32:20 +00:00			`response.push_back(`
			`{{"n", std::get<0>(column)},`
			`{"t", columnTypeName(std::get<1>(column))},`
			`{"o", INTEGER(static_cast<size_t>(std::get<2>(column)))}});`
Extensions integrations testing 2015-02-19 23:19:00 +00:00			`}`
			`return status;`
Allow external calls from within registry 2015-02-23 05:56:52 +00:00			`} else if (request.at("action") == "attach") {`
			`// Attach a virtual table name using an optional included definition.`
			`return this->attach(request.at("table"));`
			`} else if (request.at("action") == "detach") {`
			`this->detach(request.at("table"));`
			`return Status(0, "OK");`
Add getQueryTables to inspect tables scanned (#3056) 2017-03-16 01:48:01 +00:00			`} else if (request.at("action") == "tables") {`
			`std::vector<std::string> tables;`
			`auto status = this->getQueryTables(request.at("query"), tables);`
			`if (status.ok()) {`
			`for (const auto& table : tables) {`
			`response.push_back({{"t", table}});`
			`}`
			`}`
			`return status;`
Extensions integrations testing 2015-02-19 23:19:00 +00:00			`}`
			`return Status(1, "Unknown action");`
			`}`

Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`Status query(const std::string& q, QueryData& results) {`
Extensions integrations testing 2015-02-19 23:19:00 +00:00			`return Registry::call(`
			`"sql", "sql", {{"action", "query"}, {"query", q}}, results);`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`}`

Minify tables namespace, extra CMake macros 2015-05-20 20:27:53 +00:00			`Status getQueryColumns(const std::string& q, TableColumns& columns) {`
Extensions integrations testing 2015-02-19 23:19:00 +00:00			`PluginResponse response;`
			`auto status = Registry::call(`
			`"sql", "sql", {{"action", "columns"}, {"query", q}}, response);`

			`// Convert response to columns`
			`for (const auto& item : response) {`
Introduce table 'attributes' (#2431) 2016-08-31 22:32:20 +00:00			`columns.push_back(make_tuple(`
			`item.at("n"), columnTypeName(item.at("t")), ColumnOptions::DEFAULT));`
Extensions integrations testing 2015-02-19 23:19:00 +00:00			`}`
			`return status;`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`}`
Add getQueryTables to inspect tables scanned (#3056) 2017-03-16 01:48:01 +00:00
events: Inspect schedule and improve tests (#3087) 2017-03-21 05:03:09 +00:00			`Status mockGetQueryTables(std::string copy_q,`
			`std::vector<std::string>& tables) {`
			`std::transform(copy_q.begin(), copy_q.end(), copy_q.begin(), ::tolower);`
			`auto offset_from = copy_q.find("from ");`
			`if (offset_from == std::string::npos) {`
			`return Status(1);`
			`}`

			`auto simple_tables = osquery::split(copy_q.substr(offset_from + 5), ",");`
			`for (const auto& table : simple_tables) {`
			`tables.push_back(table);`
			`}`
			`return Status(0);`
			`}`

Add getQueryTables to inspect tables scanned (#3056) 2017-03-16 01:48:01 +00:00			`Status getQueryTables(const std::string& q, std::vector<std::string>& tables) {`
events: Inspect schedule and improve tests (#3087) 2017-03-21 05:03:09 +00:00			`if (!Registry::get().exists("sql", "sql") && kToolType == ToolType::TEST) {`
			`// We 'mock' this functionality for internal tests.`
			`return mockGetQueryTables(q, tables);`
			`}`

Add getQueryTables to inspect tables scanned (#3056) 2017-03-16 01:48:01 +00:00			`PluginResponse response;`
			`auto status = Registry::call(`
			`"sql", "sql", {{"action", "tables"}, {"query", q}}, response);`
events: Inspect schedule and improve tests (#3087) 2017-03-21 05:03:09 +00:00
Add getQueryTables to inspect tables scanned (#3056) 2017-03-16 01:48:01 +00:00			`for (const auto& table : response) {`
			`tables.push_back(table.at("t"));`
			`}`
			`return status;`
			`}`
Organizing headers/build for SDK 2015-02-03 05:21:36 +00:00			`}`