can. VTAdmin consists of two components: 1. A web interface - VTAdmin-web 2. A server - VTAdmin-api 5 Vitess Security Audit, 2023 The web interface connects to the server which in turn forwards the authentication plugin, VTAdmin-api adds it as a middleware at the http mux layer. VTAdmin-api does this in vitess/go/vt/vtadmin/api.go, when the routes are initialized: First VTAdmin-api checks if the user has o/vt/vtadmin/api.go#L755 func (api *API) GetClusters(ctx context.Context, req *vtadminpb.GetClustersRequest) (*vtadminpb.GetClustersResponse, error) { span, _ := trace.NewSpan(ctx, "API.GetClusters")

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Extending the Vindex API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 VStream API and Resharding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 API & usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 VStream API and Resharding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 API & usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . different transactions (pre and post). ### Extending the Vindex API Apart from the pre and post-transaction changes, we’ll need to extend the vindex API: A Vindex will export an optional SetOwnerColumns function

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Vitess API Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 v3 API (alpha) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . use the following URLs: vtctld: http://localhost:8001/api/v1/namespaces/default/services/vtctld:web/proxy/app/ vtgate: http://localhost:8001/api/v1/namespaces/default/services/vtgate-zone1:web/proxy/

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 API & usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . different transactions (pre and post). ### Extending the Vindex API Apart from the pre and post-transaction changes, we’ll need to extend the vindex API: A Vindex will export an optional SetOwnerColumns function Solution In order to support the new use cases, the following changes can be made: 1. Extend the Vindex API where a vindex can export a MapNew function. This function will generate a keyspace ID. 2. Allow owned

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Extending the Vindex API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 VStream API and Resharding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 API & usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

use the following URLs: vtctld: http://localhost:8001/api/v1/namespaces/default/services/vtctld:web/proxy/app/ vtgate: http://localhost:8001/api/v1/namespaces/default/services/vtgate-zone1:web/proxy/ shards while requesting messages. This is useful for partitioning or load balancing. The MessageStream API allows you to specify these constraints. The request parameters are as follows: • Name: Name of the Acknowledging messages A received (or processed) message can be acknowledged using the MessageAck API call. This call accepts the following param- eters: • Name: Name of the message table. • Keyspace:

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Vitess API Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 v3 API (alpha) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . shards while requesting messages. This is useful for partitioning or load balancing. The MessageStream API allows you to specify these constraints. The request parameters are as follows: • Name: Name of the

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 API & usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . use the following URLs: vtctld: http://localhost:8001/api/v1/namespaces/default/services/vtctld:web/proxy/app/ vtgate: http://localhost:8001/api/v1/namespaces/default/services/vtgate-zone1:web/proxy/ shards while requesting messages. This is useful for partitioning or load balancing. The MessageStream API allows you to specify these constraints. The request parameters are as follows: • Name: Name of the

initial phase (Phase 1) mostly comprised manual source code reviews, in particular in terms of the API endpoints, input handlers and parsers. The review carried out during Phase 1 aimed at spotting insecure otherwise indicated with a specific link to a finding. • A comprehensive list of all accessible API endpoints was enumerated and checked for visible defects. This entailed the functionality exposed would be ExecuteHook. This item was analyzed in depth to see if it is by any means possible to inject API commands. The overarching goal was clearly to achieve injection of the OS-level commands. The filter