Fix bug and add regression tests

edwardneal · edwardneal · commit 9e71953bdf48 · 2026-05-24T13:37:33.000+01:00
Fix bug by checking HAS_PERMS_BY_NAME over the sys.all_columns view.
This is safe on all supported platforms (including Synapse Analytics dedicated and shared pools - documentation is inconsistent.)

Regression tests create a low-privileged login and user in on-premise environments, then use those credentials to perform a SqlBulkCopy.
diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlBulkCopy.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlBulkCopy.cs
@@ -477,11 +477,12 @@ private string CreateInitialQuery()
             }
             else if (!string.IsNullOrEmpty(CatalogName))
             {
-                CatalogName = SqlServerEscapeHelper.EscapeStringAsLiteral(SqlServerEscapeHelper.EscapeIdentifier(CatalogName));
+                CatalogName = SqlServerEscapeHelper.EscapeIdentifier(CatalogName);
             }
 
             string objectName = ADP.BuildMultiPartName(parts);
             string escapedObjectName = SqlServerEscapeHelper.EscapeStringAsLiteral(objectName);
+            string catalogNameStringLiteral = CatalogName is null ? null : SqlServerEscapeHelper.EscapeStringAsLiteral(CatalogName);
             // Specify the column names explicitly. This is to ensure that we can map to hidden
             // columns (e.g. columns in temporal tables.) If the target table doesn't exist,
             // OBJECT_ID will return NULL and @Column_Names will remain non-null. The subsequent
@@ -526,6 +527,11 @@ private string CreateInitialQuery()
             // we use STRING_AGG in that case and the COALESCE method otherwise.
             //
             // See: https://learn.microsoft.com/en-us/sql/t-sql/functions/serverproperty-transact-sql
+            //
+            // All of this is wrapped in an test against HAS_PERMS_BY_NAME. This test verifies that
+            // the user possesses the necessary permissions to access sys.all_columns. If they do not
+            // @Column_Names will remain NULL (and be coalesced to *) and SqlBulkCopy will degrade
+            // gracefully, silently dropping support for hidden columns and column aliases.
             return $"""
 SELECT @@TRANCOUNT;
 
@@ -535,6 +541,7 @@ private string CreateInitialQuery()
 DECLARE @Column_Name_Query_SORT NVARCHAR(MAX);
 DECLARE @Column_Name_Query NVARCHAR(MAX);
 DECLARE @Column_Names NVARCHAR(MAX) = NULL;
+DECLARE @Has_Permissions INT = HAS_PERMS_BY_NAME('{catalogNameStringLiteral}.[sys].[all_columns]', 'OBJECT', 'SELECT');
 
 CREATE TABLE #Column_Aliases
 (
@@ -554,28 +561,35 @@ IF CAST(SERVERPROPERTY('EngineEdition') AS INT) = 6
     SET @Column_Name_Query_SORT = N'ORDER BY [column_id] ASC';
 END
 
-IF EXISTS (SELECT TOP 1 * FROM sys.all_columns WHERE [object_id] = OBJECT_ID('sys.all_columns') AND [name] = 'graph_type')
-BEGIN
-    SET @Column_Name_Query_FILTER = N'WHERE [object_id] = @Object_ID AND COALESCE([graph_type], 0) NOT IN (1, 3, 4, 6, 7)';
-
-    EXEC sp_executesql N'
-    INSERT INTO #Column_Aliases ([Canonical_Column_Name], [Canonical_Column_Id], [Aliased_Column_Name])
-        SELECT [name], [column_id], ''$to_id'' FROM {CatalogName}.[sys].[all_columns] WHERE [object_id] = @Object_ID AND COALESCE([graph_type], 0) = 8
-    UNION ALL
-        SELECT [name], [column_id], ''$from_id'' FROM {CatalogName}.[sys].[all_columns] WHERE [object_id] = @Object_ID AND COALESCE([graph_type], 0) = 5
-    UNION ALL
-        SELECT [name], [column_id], ''$edge_id'' FROM {CatalogName}.[sys].[all_columns] WHERE [object_id] = @Object_ID AND COALESCE([graph_type], 0) = 2 AND [name] LIKE ''$edge[_]id[_]%''
-    UNION ALL
-        SELECT [name], [column_id], ''$node_id'' FROM {CatalogName}.[sys].[all_columns] WHERE [object_id] = @Object_ID AND COALESCE([graph_type], 0) = 2 AND [name] LIKE ''$node[_]id[_]%''',
-    N'@Object_ID INT', @Object_ID = @Object_ID
-END
-ELSE
+IF @Has_Permissions = 1
 BEGIN
-    SET @Column_Name_Query_FILTER = N'WHERE [object_id] = @Object_ID';
+    IF EXISTS (SELECT TOP 1 * FROM {CatalogName}.[sys].[all_columns] WHERE [object_id] = OBJECT_ID('{catalogNameStringLiteral}.[sys].[all_columns]') AND [name] = 'graph_type')
+    BEGIN
+        SET @Column_Name_Query_FILTER = N'WHERE [object_id] = @Object_ID AND COALESCE([graph_type], 0) NOT IN (1, 3, 4, 6, 7)';
+
+        EXEC sp_executesql N'
+        INSERT INTO #Column_Aliases ([Canonical_Column_Name], [Canonical_Column_Id], [Aliased_Column_Name])
+            SELECT [name], [column_id], ''$to_id'' FROM {catalogNameStringLiteral}.[sys].[all_columns] WHERE [object_id] = @Object_ID AND COALESCE([graph_type], 0) = 8
+        UNION ALL
+            SELECT [name], [column_id], ''$from_id'' FROM {catalogNameStringLiteral}.[sys].[all_columns] WHERE [object_id] = @Object_ID AND COALESCE([graph_type], 0) = 5
+        UNION ALL
+            SELECT [name], [column_id], ''$edge_id'' FROM {catalogNameStringLiteral}.[sys].[all_columns] WHERE [object_id] = @Object_ID AND COALESCE([graph_type], 0) = 2 AND [name] LIKE ''$edge[_]id[_]%''
+        UNION ALL
+            SELECT [name], [column_id], ''$node_id'' FROM {catalogNameStringLiteral}.[sys].[all_columns] WHERE [object_id] = @Object_ID AND COALESCE([graph_type], 0) = 2 AND [name] LIKE ''$node[_]id[_]%''',
+        N'@Object_ID INT', @Object_ID = @Object_ID
+    END
+    ELSE
+    BEGIN
+        SET @Column_Name_Query_FILTER = N'WHERE [object_id] = @Object_ID';
+    END
+    SET @Column_Name_Query = @Column_Name_Query_SELECT + ' FROM {catalogNameStringLiteral}.[sys].[all_columns] ' + @Column_Name_Query_FILTER + ' ' + @Column_Name_Query_SORT + ';'
+
+    EXEC sp_executesql @Column_Name_Query, N'@Object_ID INT, @Column_Names NVARCHAR(MAX) OUTPUT', @Object_ID = @Object_ID, @Column_Names = @Column_Names OUTPUT;
+
+    DELETE FROM #Column_Aliases
+    WHERE [Aliased_Column_Name] IN (SELECT [name] FROM {CatalogName}.[sys].[all_columns] WHERE [object_id] = @Object_ID)
 END
-SET @Column_Name_Query = @Column_Name_Query_SELECT + ' FROM {CatalogName}.[sys].[all_columns] ' + @Column_Name_Query_FILTER + ' ' + @Column_Name_Query_SORT + ';'
 
-EXEC sp_executesql @Column_Name_Query, N'@Object_ID INT, @Column_Names NVARCHAR(MAX) OUTPUT', @Object_ID = @Object_ID, @Column_Names = @Column_Names OUTPUT;
 SELECT @Column_Names = COALESCE(@Column_Names, '*');
 
 SET FMTONLY ON;
@@ -586,7 +600,6 @@ UNION ALL
 
 SELECT [Canonical_Column_Name], [Aliased_Column_Name]
 FROM #Column_Aliases
-WHERE [Aliased_Column_Name] NOT IN (SELECT [name] FROM {CatalogName}.[sys].[all_columns] WHERE [object_id] = @Object_ID)
 ORDER BY [Canonical_Column_Id] ASC
 
 DROP TABLE #Column_Aliases
diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/Extensions/CodeAnalysis.netfx.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/Extensions/CodeAnalysis.netfx.cs
@@ -0,0 +1,20 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+#if NETFRAMEWORK
+
+namespace System.Diagnostics.CodeAnalysis;
+
+#nullable enable
+
+[AttributeUsage(AttributeTargets.Method | AttributeTargets.Property, Inherited = false, AllowMultiple = true)]
+internal sealed class MemberNotNullAttribute : Attribute
+{
+    public MemberNotNullAttribute(string member) => Members = [member];
+
+    public MemberNotNullAttribute(params string[] members) => Members = members;
+
+    public string[] Members { get; }
+}
+#endif
diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/Microsoft.Data.SqlClient.ManualTests.csproj b/src/Microsoft.Data.SqlClient/tests/ManualTests/Microsoft.Data.SqlClient.ManualTests.csproj
@@ -45,6 +45,7 @@
     <Compile Include="DataCommon\SystemDataResourceManager.cs" />
     <Compile Include="DataCommon\UsernamePasswordProvider.cs" />
     <Compile Include="DataCommon\XEventScope.cs" />
+    <Compile Include="Extensions\CodeAnalysis.netfx.cs" />
     <Compile Include="Extensions\StreamExtensions.netfx.cs" />
     <Compile Include="SQL\Common\AsyncDebugScope.cs" />
     <Compile Include="SQL\Common\ConnectionPoolWrapper.cs" />
@@ -57,6 +58,7 @@
     <Compile Include="SQL\Common\SystemDataInternals\FedAuthTokenHelper.cs" />
     <Compile Include="SQL\Common\SystemDataInternals\TdsParserHelper.cs" />
     <Compile Include="SQL\Common\SystemDataInternals\TdsParserStateObjectHelper.cs" />
+    <Compile Include="SQL\SqlBulkCopyTest\UnprivilegedLogin.cs" />
     <Compile Include="XUnitAssemblyAttributes.cs" />
 
     <!-- Content files -->
diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/SqlBulkCopyTest/CopyAllFromReader.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/SqlBulkCopyTest/CopyAllFromReader.cs
@@ -40,10 +40,10 @@ public static void Test(string srcConstr, string dstConstr, string dstTable)
                         using (DbDataReader reader = srcCmd.ExecuteReader())
                         {
                             IDictionary stats;
-                            long expectedIduCount = DataTestUtility.IsAzureSynapse || DataTestUtility.IsAtLeastSQL2017() ? 1 : 0;
-                            long expectedSelectCount = DataTestUtility.IsAzureSynapse ? 4 : 12;
-                            long expectedSelectRows = DataTestUtility.IsAzureSynapse ? 4 : 14;
-                            long expectedTransactions = DataTestUtility.IsAzureSynapse || DataTestUtility.IsAtLeastSQL2017() ? 1 : 0;
+                            long expectedIduCount = DataTestUtility.IsAzureSynapse || DataTestUtility.IsAtLeastSQL2017() ? 2 : 0;
+                            long expectedSelectCount = DataTestUtility.IsAzureSynapse ? 4 : 13;
+                            long expectedSelectRows = DataTestUtility.IsAzureSynapse ? 4 : 15;
+                            long expectedTransactions = DataTestUtility.IsAzureSynapse || DataTestUtility.IsAtLeastSQL2017() ? 2 : 0;
                             using (SqlBulkCopy bulkcopy = new SqlBulkCopy(dstConn))
                             {
                                 bulkcopy.DestinationTableName = dstTable;
diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/SqlBulkCopyTest/UnprivilegedLogin.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/SqlBulkCopyTest/UnprivilegedLogin.cs
@@ -0,0 +1,198 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System;
+using System.Data;
+using System.Diagnostics.CodeAnalysis;
+using System.Runtime.CompilerServices;
+using Microsoft.Data.SqlClient.Tests.Common.Fixtures.DatabaseObjects;
+using Xunit;
+
+namespace Microsoft.Data.SqlClient.ManualTesting.Tests.SqlBulkCopyTests;
+
+#nullable enable
+
+/// <summary>
+/// Some unprivileged users may not have permissions to query sys.all_columns, which is used to
+/// handle column aliases. These tests verify that bulk copy operations can handle such situations
+/// gracefully, falling back and ignoring column aliases.
+/// </summary>
+public sealed class UnprivilegedLogin : IDisposable
+{
+    private readonly SqlConnection? _managementConnection;
+    private readonly ServerLogin? _unprivilegedLogin;
+    private readonly DatabaseUser? _unprivilegedMasterUser;
+    private readonly DatabaseUser? _unprivilegedAppUser;
+
+    private readonly string? _unprivilegedConnectionString;
+
+    public static bool CanRunTests =>
+        DataTestUtility.AreConnStringsSetup() && DataTestUtility.IsNotAzureServer()
+            && DataTestUtility.CanCreateLogins && DataTestUtility.CanUseSqlAuthentication;
+
+    public UnprivilegedLogin()
+    {
+        // xUnit will instantiate the class before evaluating the test condition - make sure that we don't
+        // attempt to make use of these capabilities if the server doesn't support them.
+        // This has the expected nullability implications, so AssertEnvironmentCreated needs to be called
+        // before any test logic. The compiler asserts these for us.
+        if (!CanRunTests)
+        {
+            return;
+        }
+
+        // We require two connections: a "management" connection which has permissions to create logins,
+        // create users and modify permissions; and an "unprivileged" connection, which is used to perform
+        // the actual tests. The user associated with the latter connection will be denied SELECT permissions
+        // over master.sys.all_columns.
+        _managementConnection = new SqlConnection(DataTestUtility.TCPConnectionString);
+        _managementConnection.Open();
+
+        _unprivilegedLogin = new ServerLogin(_managementConnection, nameof(UnprivilegedLogin), _managementConnection.Database);
+        _unprivilegedAppUser = new DatabaseUser(_managementConnection, _managementConnection.Database, _unprivilegedLogin);
+        _unprivilegedMasterUser = new DatabaseUser(_managementConnection, "master", _unprivilegedLogin);
+
+        using (SqlCommand permissionsModificationCommand = _managementConnection.CreateCommand())
+        {
+            permissionsModificationCommand.CommandText = $"DENY SELECT ON [master].[sys].[all_columns] TO {_unprivilegedMasterUser.Name}";
+            permissionsModificationCommand.ExecuteNonQuery();
+
+            permissionsModificationCommand.CommandText = $"DENY SELECT ON [{_managementConnection.Database}].[sys].[all_columns] TO {_unprivilegedMasterUser.Name}";
+            permissionsModificationCommand.ExecuteNonQuery();
+        }
+
+        SqlConnectionStringBuilder tcpConnectionBuilder = new(DataTestUtility.TCPConnectionString)
+        {
+            IntegratedSecurity = false,
+            UserID = _unprivilegedLogin.UnescapedName,
+            Password = _unprivilegedLogin.Password,
+            // Disable connection pooling - we'll be dropping this login once the tests complete, and this can only happen once all connections
+            // using it are closed.
+            Pooling = false
+        };
+
+        _unprivilegedConnectionString = tcpConnectionBuilder.ConnectionString;
+    }
+
+    /// <summary>
+    /// This method enables nullability assertions to operate as expected. It'll always pass if CanRunTests is
+    /// true - the constructor will have initialized the relevant fields.
+    /// </summary>
+    [MemberNotNull(nameof(_managementConnection),
+        nameof(_unprivilegedLogin),
+        nameof(_unprivilegedMasterUser),
+        nameof(_unprivilegedAppUser),
+        nameof(_unprivilegedConnectionString))]
+    private void AssertEnvironmentCreated()
+    {
+        Assert.NotNull(_managementConnection);
+        Assert.NotNull(_unprivilegedLogin);
+        Assert.NotNull(_unprivilegedMasterUser);
+        Assert.NotNull(_unprivilegedAppUser);
+        Assert.NotNull(_unprivilegedConnectionString);
+    }
+
+    /// <summary>
+    /// Verifies that a bulk copy operation succeeds when performed by a user with only SELECT and INSERT permissions,
+    /// without requiring access to metadata views.
+    /// </summary>
+    [ConditionalFact(nameof(CanRunTests))]
+    public void BulkCopyWithoutMetadataPermission_Succeeds()
+    {
+        AssertEnvironmentCreated();
+
+        using DataTable srcDataTable = new()
+        {
+            Columns = { new DataColumn("Description", typeof(string)) }
+        };
+        using Table dstTable = new(_managementConnection, nameof(BulkCopyWithoutMetadataPermission_Succeeds), "([Description] VARCHAR(100))");
+        using (SqlCommand permissionsConfigurationCommand = new($"GRANT SELECT, INSERT ON {dstTable.Name} TO {_unprivilegedAppUser.Name}", _managementConnection))
+        {
+            permissionsConfigurationCommand.ExecuteNonQuery();
+        }
+
+        using SqlBulkCopy nodeCopy = new(_unprivilegedConnectionString);
+
+        for (int i = 0; i < 5; i++)
+        {
+            srcDataTable.Rows.Add($"Description {i}");
+        }
+
+        nodeCopy.DestinationTableName = dstTable.Name;
+        nodeCopy.ColumnMappings.Add("Description", "Description");
+        nodeCopy.WriteToServer(srcDataTable);
+    }
+
+    [ConditionalFact(nameof(CanRunTests))]
+    public void BulkCopyWithoutMetadataPermission_FailsWhenUsingAliases()
+    {
+        AssertEnvironmentCreated();
+
+        using DataTable edges = new DataTable()
+        {
+            Columns = { new DataColumn("To_ID", typeof(string)), new DataColumn("From_ID", typeof(string)), new DataColumn("Description", typeof(string)) }
+        };
+
+        // Use the management connection to create the source and the destination tables, grant the
+        // unprivileged user permissions over them and insert some sample data into the source table.
+        using Table srcNodeTable = new(_managementConnection, nameof(BulkCopyWithoutMetadataPermission_FailsWhenUsingAliases), "([Name] VARCHAR(100)) AS NODE");
+        using Table dstEdgeTable = new(_managementConnection, nameof(BulkCopyWithoutMetadataPermission_FailsWhenUsingAliases), "([Description] VARCHAR(100)) AS EDGE");
+        using (SqlCommand permissionsConfigurationCommand = _managementConnection.CreateCommand())
+        {
+            permissionsConfigurationCommand.CommandText = $"GRANT SELECT, INSERT ON {srcNodeTable.Name} TO {_unprivilegedAppUser.Name}";
+            permissionsConfigurationCommand.ExecuteNonQuery();
+
+            permissionsConfigurationCommand.CommandText = $"GRANT SELECT, INSERT ON {dstEdgeTable.Name} TO {_unprivilegedAppUser.Name}";
+            permissionsConfigurationCommand.ExecuteNonQuery();
+        }
+
+        string sampleNodeDataCommand = @$"INSERT INTO {srcNodeTable.Name} ([Name]) SELECT LEFT([name], 100) FROM sys.sysobjects";
+        using (SqlCommand insertSampleNodes = new(sampleNodeDataCommand, _managementConnection))
+        {
+            insertSampleNodes.ExecuteNonQuery();
+        }
+
+        using (SqlCommand nodeQuery = new($"SELECT $node_id FROM {srcNodeTable.Name}", _managementConnection))
+        using (SqlDataReader reader = nodeQuery.ExecuteReader())
+        {
+            bool firstRead = reader.Read();
+            string toId;
+            string fromId;
+
+            Assert.True(firstRead);
+            toId = reader.GetString(0);
+
+            while (reader.Read())
+            {
+                fromId = reader.GetString(0);
+
+                edges.Rows.Add(toId, fromId, "Test Description");
+                toId = fromId;
+            }
+        }
+
+        // With all source data populated, try to use the unprivileged connection to perform a bulk copy
+        // using aliases in the column mappings. This should fail - the permissions error will be caught,
+        // and SqlBulkCopy should simply report that the destination column doesn't exist.
+        using SqlBulkCopy edgeCopy = new(_unprivilegedConnectionString);
+
+        edgeCopy.DestinationTableName = dstEdgeTable.Name;
+        edgeCopy.ColumnMappings.Add("To_ID", "$to_id");
+        edgeCopy.ColumnMappings.Add("From_ID", "$from_id");
+        edgeCopy.ColumnMappings.Add("Description", "Description");
+
+        Action failingEdgeCopy = () => edgeCopy.WriteToServer(edges);
+        InvalidOperationException missingColumnException = Assert.Throws<InvalidOperationException>(failingEdgeCopy);
+
+        Assert.Contains("'$to_id,$from_id'", missingColumnException.Message);
+    }
+
+    public void Dispose()
+    {
+        _unprivilegedAppUser?.Dispose();
+        _unprivilegedMasterUser?.Dispose();
+        _unprivilegedLogin?.Dispose();
+        _managementConnection?.Dispose();
+    }
+}
