*: don't use DSN to avoid some security problems

[lance6716]

Signed-off-by: lance6716 lance6716@gmail.com

What problem does this PR solve?

Issue Number: close #38541

--- copied from #37489 ---

Problem Summary:

TiDB uses Go MySQL Driver for connecting to MySQL servers. The Data Source Name (DSN) strings for describing database connections is not neutralized so they can escape and add new parameters to use as data source name.

What is changed and how it works?

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No code

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

Fix the issue of arbitrary file read via data source name injection (CVE-2022-3023).

[ti-chi-bot]

[REVIEW NOTIFICATION]

This pull request has been approved by:

• kennytm
• lichunzhu

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

[lance6716]

@dwisiswant0 ptal. I didn't change some binaries that are only used in tests.

[lance6716]

/cc @kennytm

not sure if you have interest in this problem

[lance6716]

PTAL @dwisiswant0

[dwisiswant0]

LGTM, @lance6716. I can confirm it can't be reproduced anymore.

[mysql] 2022/10/12 15:43:04 packets.go:37: unexpected EOF
[2022/10/12 15:43:04.800 +07:00] [FATAL] [main.go:85] ["local file '/etc/passwd' is not registered"] [stack="main.main\n\t/tmp/tidb/cmd/importer/main.go:85\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:250"]

[lance6716]

/cc @lichunzhu

ptal

[lichunzhu]

LGTM

[lance6716]

/merge

[ti-chi-bot]

This pull request has been accepted and is ready to merge.

Commit hash: f1fb540

[niubell]

LGTM

[lance6716]

/run-mysql-test
/run-check_dev_2

[sre-bot]

TiDB MergeCI notify

🔴 Bad News! [2] CI still failing after this pr merged.
These failed integration tests don't seem to be introduced by the current PR.

CI Name	Result	Duration	Compare with Parent commit
idc-jenkins-ci-tidb/integration-ddl-test	🔴 failed 1, success 5, total 6	28 min	Existing failure
idc-jenkins-ci-tidb/integration-common-test	🔴 failed 2, success 15, total 17	10 min	Existing failure
idc-jenkins-ci/integration-cdc-test	🟢 all 38 tests passed	22 min	Existing passed
idc-jenkins-ci-tidb/common-test	🟢 all 11 tests passed	8 min 44 sec	Existing passed
idc-jenkins-ci-tidb/tics-test	🟢 all 1 tests passed	5 min 41 sec	Existing passed
idc-jenkins-ci-tidb/sqllogic-test-2	🟢 all 28 tests passed	4 min 35 sec	Existing passed
idc-jenkins-ci-tidb/sqllogic-test-1	🟢 all 26 tests passed	4 min 20 sec	Existing passed
idc-jenkins-ci-tidb/mybatis-test	🟢 all 1 tests passed	3 min 0 sec	Existing passed
idc-jenkins-ci-tidb/integration-compatibility-test	🟢 all 1 tests passed	2 min 34 sec	Existing passed
idc-jenkins-ci-tidb/plugin-test	🟢 build success, plugin test success	4min	Existing passed

[lance6716]

/run-cherry-picker

[lance6716]

/run-cherry-picker

[ti-chi-bot]

In response to a cherrypick label: new pull request created: #38542.

[ti-chi-bot]

In response to a cherrypick label: new pull request created: #38543.

[dwisiswant0]

Since it's already rolled out. Can you please give an update on 120f1346-e958-49d0-b66c-0f889a469540? Thanks.