Make infromation schema tables readonly

Author: JanJakes

tests/WP_SQLite_Driver_Tests.php

@@ -3931,4 +3931,49 @@ public function getReservedPrefixTestData(): array {
 			),
 		);
 	}
+
+	/**
+	 * @dataProvider getInformationSchemaIsReadonlyTestData
+	 */
+	public function testInformationSchemaIsReadonly( string $query ): void {
+		$this->assertQuery( 'CREATE TABLE t1 (id INT)' );
+		$this->expectException( WP_SQLite_Driver_Exception::class );
+		$this->expectExceptionMessage( "Access denied for user 'sqlite'@'%' to database 'information_schema'" );
+		$this->assertQuery( $query );
+	}
+
+	public function getInformationSchemaIsReadonlyTestData(): array {
+		return array(
+			array( 'INSERT INTO information_schema.tables (table_name) VALUES ("t")' ),
+			array( 'UPDATE information_schema.tables SET table_name = "new_t" WHERE table_name = "t"' ),
+			array( 'DELETE FROM information_schema.tables WHERE table_name = "t"' ),
+			array( 'CREATE TABLE information_schema.new_table (id INT)' ),
+			array( 'ALTER TABLE information_schema.tables ADD COLUMN new_column INT' ),
+			array( 'DROP TABLE information_schema.tables' ),
+			array( 'TRUNCATE information_schema.tables' ),
+		);
+	}
+
+	/**
+	 * @dataProvider getInformationSchemaIsReadonlyWithUseTestData
+	 */
+	public function testInformationSchemaIsReadonlyWithUse( string $query ): void {
+		$this->assertQuery( 'CREATE TABLE t1 (id INT)' );
+		$this->expectException( WP_SQLite_Driver_Exception::class );
+		$this->expectExceptionMessage( "Access denied for user 'sqlite'@'%' to database 'information_schema'" );
+		$this->assertQuery( 'USE information_schema' );
+		$this->assertQuery( $query );
+	}
+
+	public function getInformationSchemaIsReadonlyWithUseTestData(): array {
+		return array(
+			array( 'INSERT INTO tables (table_name) VALUES ("t")' ),
+			array( 'UPDATE tables SET table_name = "new_t" WHERE table_name = "t"' ),
+			array( 'DELETE FROM tables WHERE table_name = "t"' ),
+			array( 'CREATE TABLE new_table (id INT)' ),
+			array( 'ALTER TABLE tables ADD COLUMN new_column INT' ),
+			array( 'DROP TABLE tables' ),
+			array( 'TRUNCATE tables' ),
+		);
+	}
 }

wp-includes/sqlite-ast/class-wp-sqlite-driver.php

@@ -306,6 +306,13 @@ class WP_SQLite_Driver {
 	 */
 	private $last_sql_calc_found_rows = null;
 
+	/**
+	 * Whether the current MySQL query is read-only.
+	 *
+	 * @var bool
+	 */
+	private $is_readonly;
+
 	/**
 	 * Transaction nesting level of the executed SQLite queries.
 	 *
@@ -703,6 +710,7 @@ private function execute_mysql_query( WP_Parser_Node $node ): void {
 		$node = $children[0]->get_first_child_node();
 		switch ( $node->rule_name ) {
 			case 'selectStatement':
+				$this->is_readonly = true;
 				$this->execute_select_statement( $node );
 				break;
 			case 'insertStatement':
@@ -778,12 +786,14 @@ private function execute_mysql_query( WP_Parser_Node $node ): void {
 				$this->last_result = 0;
 				break;
 			case 'showStatement':
+				$this->is_readonly = true;
 				$this->execute_show_statement( $node );
 				break;
 			case 'utilityStatement':
 				$subtree = $node->get_first_child_node();
 				switch ( $subtree->rule_name ) {
 					case 'describeStatement':
+						$this->is_readonly = true;
 						$this->execute_describe_statement( $subtree );
 						break;
 					case 'useCommand':
@@ -2084,6 +2094,24 @@ private function translate_qualified_identifier(
 			}
 		}
 
+		/*
+		 * Make the 'information_schema' database read-only.
+		 *
+		 * This basic approach is rather restrictive, as it blocks the usage
+		 * of information schema tables in all data-modifying statements.
+		 *
+		 * Some of these statements can be valid, when the schema is only read:
+		 *   DELETE t FROM t JOIN information_schema.columns c ON ...
+		 *
+		 * If needed, a more granular approach can be implemented in the future.
+		 */
+		if ( true === $is_information_schema && false === $this->is_readonly ) {
+			throw $this->new_driver_exception(
+				"Access denied for user 'sqlite'@'%' to database 'information_schema'",
+				'42000'
+			);
+		}
+
 		// Database-level object name (table, view, procedure, trigger, etc.).
 		if ( null !== $object_node ) {
 			if ( $is_information_schema ) {
@@ -2937,6 +2965,7 @@ private function flush(): void {
 		$this->last_sqlite_queries = array();
 		$this->last_result         = null;
 		$this->last_return_value   = null;
+		$this->is_readonly         = false;
 	}
 
 	/**