Skip to content

Ensure No Users Have Wildcard Hostnames

Description

Wildcards can be used when granting permissions to users on specific databases.

Rationale

Avoiding the use of wildcards within hostnames helps control the specific locations from which a given user may connect to and interact with the database.

For example, granting privileges to '<user_name>'@'%' will allow <user_name> to connect to the database from any remote host.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { isEmpty, isEmptyArray } = module

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if none user has a wildcard hostname 
 */
function validate(databaseSettings) {

  var success = true;
  if (databaseSettings && !isEmptyArray(databaseSettings.users)) {

    // look for users with wildcard hostnames
    const wildcardHostNames = databaseSettings.users.filter(user => user.mysql && 
                                                        user.mysql.usersTableSnapshot &&
                                                        user.mysql.usersTableSnapshot.host === '%')

    success = isEmptyArray(wildcardHostNames)
  }

  return {
      success,
  }
}

// invoke
validate(databaseSettings);