planner, privilege: fix CTE masking policy to use original values in WHERE/HAVING/GROUP BY

tiancaiamao · claude · tiancaiamao · commit ff4e873583d1 · 2026-04-01T16:28:14.000+08:00
This commit fixes a critical bug where masking policies in CTEs were incorrectly applied during CTE definition building, causing WHERE/HAVING/GROUP BY/ORDER BY clauses to see masked values instead of original values. Changes: - buildSelect/buildSetOpr: Skip masking when building CTE definitions by checking !b.isCTE && !b.buildingCTE - buildDataSourceFromCTEMerge: Set both b.isCTE and b.buildingCTE flags to ensure CTE context is maintained during inline merge - Preserve OrigTblName and OrigColName for masking policy lookup AT RESULT semantics: Masking is now correctly applied only at final output, not during intermediate operations. Issue: #67341 Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/pkg/planner/core/logical_plan_builder.go b/pkg/planner/core/logical_plan_builder.go
@@ -2385,8 +2385,9 @@ func (b *PlanBuilder) buildSetOpr(ctx context.Context, setOpr *ast.SetOprStmt) (
 
 	// Apply masking at the final result stage (AT RESULT semantics).
 	// This ensures set operators (UNION/INTERSECT/EXCEPT) use original values.
+	// For CTEs, we skip masking here because CTE definitions should preserve original values.
 	// For nested set-op operands, masking is deferred to the outermost set-op result.
-	if b.buildingSetOprOperand == 0 {
+	if b.buildingSetOprOperand == 0 && !b.isCTE && !b.buildingCTE {
 		setOprPlan, err = b.buildFinalProjectionWithMasking(ctx, setOprPlan, oldLen)
 		if err != nil {
 			return nil, err
@@ -4822,8 +4823,11 @@ func (b *PlanBuilder) buildSelect(ctx context.Context, sel *ast.SelectStmt) (p b
 
 	// Apply masking at the final result stage (AT RESULT semantics).
 	// This ensures HAVING, ORDER BY, set operators, etc. all use original values.
+	// For CTEs, we skip masking here because:
+	// 1. CTE definitions should preserve original values for correct filtering/joining
+	// 2. Masking is applied when CTE results are materialized to the final output
 	// For set-operator operands, masking is deferred to the outer set-op final stage.
-	if b.buildingSetOprOperand == 0 {
+	if b.buildingSetOprOperand == 0 && !b.isCTE && !b.buildingCTE {
 		p, err = b.buildFinalProjectionWithMasking(ctx, p, oldLen)
 		if err != nil {
 			return nil, err
@@ -5126,13 +5130,32 @@ func (b *PlanBuilder) computeCTEInlineFlag(cte *cteInfo) {
 }
 
 func (b *PlanBuilder) buildDataSourceFromCTEMerge(ctx context.Context, cte *ast.CommonTableExpression) (base.LogicalPlan, error) {
+	// Set b.isCTE to true to ensure masking is skipped during CTE definition building
+	// This preserves original values in CTE for correct WHERE/HAVING/GROUP BY behavior
+	oldIsCTE := b.isCTE
+	oldBuildingCTE := b.buildingCTE
+	b.isCTE = true
+	b.buildingCTE = true
+	defer func() {
+		b.isCTE = oldIsCTE
+		b.buildingCTE = oldBuildingCTE
+	}()
+
 	p, err := b.buildResultSetNode(ctx, cte.Query.Query, true)
 	if err != nil {
 		return nil, err
 	}
 	b.handleHelper.popMap()
 	outPutNames := p.OutputNames()
 	for _, name := range outPutNames {
+		// Preserve OrigTblName and OrigColName for masking policy lookup
+		// If they are not set, copy from TblName and ColName before overwriting
+		if name.OrigTblName.L == "" {
+			name.OrigTblName = name.TblName
+		}
+		if name.OrigColName.L == "" {
+			name.OrigColName = name.ColName
+		}
 		name.TblName = cte.Name
 		name.DBName = ast.NewCIStr(b.ctx.GetSessionVars().CurrentDB)
 	}
@@ -5142,6 +5165,10 @@ func (b *PlanBuilder) buildDataSourceFromCTEMerge(ctx context.Context, cte *ast.
 			return nil, errors.New("CTE columns length is not consistent")
 		}
 		for i, n := range cte.ColNameList {
+			// Preserve original column name before overwriting
+			if outPutNames[i].OrigColName.L == "" {
+				outPutNames[i].OrigColName = outPutNames[i].ColName
+			}
 			outPutNames[i].ColName = n
 		}
 	}
diff --git a/tests/integrationtest/r/privilege/column_masking_cte.result b/tests/integrationtest/r/privilege/column_masking_cte.result
@@ -0,0 +1,174 @@
+# Test basic CTE with masking policy
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_src;
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_join;
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_dst;
+CREATE TABLE privilege__column_masking_cte.t_src(id INT PRIMARY KEY, c VARCHAR(20));
+CREATE TABLE privilege__column_masking_cte.t_join(id INT PRIMARY KEY, name VARCHAR(20));
+CREATE TABLE privilege__column_masking_cte.t_dst(c VARCHAR(20));
+INSERT INTO privilege__column_masking_cte.t_src VALUES (1, 'secret'), (2, 'public');
+INSERT INTO privilege__column_masking_cte.t_join VALUES (1, 'alice'), (2, 'bob');
+CREATE MASKING POLICY p_cte ON privilege__column_masking_cte.t_src(c)
+AS MASK_FULL(c, '*') ENABLE;
+# Test 1: Basic CTE SELECT - should show masked values
+WITH cte AS (SELECT c FROM privilege__column_masking_cte.t_src)
+SELECT c FROM cte ORDER BY c;
+c
+******
+******
+# Test 2: CTE with COUNT(*) - WHERE clause uses original values
+# CTE definitions preserve original values, WHERE uses original 'secret'
+WITH cte AS (SELECT c FROM privilege__column_masking_cte.t_src)
+SELECT COUNT(*) FROM cte WHERE c = 'secret';
+COUNT(*)
+1
+# Test 3: CTE with JOIN - should show masked values in CTE columns
+WITH cte AS (SELECT id, c FROM privilege__column_masking_cte.t_src)
+SELECT j.name, cte.c FROM privilege__column_masking_cte.t_join j JOIN cte ON j.id = cte.id ORDER BY j.id;
+name	c
+alice	******
+bob	******
+# Test 4: Nested CTE - WHERE uses original values
+WITH cte1 AS (SELECT c FROM privilege__column_masking_cte.t_src),
+cte2 AS (SELECT c FROM cte1)
+SELECT COUNT(*) FROM cte2 WHERE c = 'secret';
+COUNT(*)
+1
+# Test 5: CTE with GROUP BY in subquery
+WITH cte AS (SELECT c FROM privilege__column_masking_cte.t_src)
+SELECT COUNT(*) FROM (SELECT c FROM cte GROUP BY c) g;
+COUNT(*)
+2
+# Test CTE with RESTRICT ON (INSERT_INTO_SELECT)
+ALTER TABLE privilege__column_masking_cte.t_src DROP MASKING POLICY p_cte;
+CREATE MASKING POLICY p_cte_restrict ON privilege__column_masking_cte.t_src(c)
+AS MASK_FULL(c, '*') RESTRICT ON (INSERT_INTO_SELECT) ENABLE;
+WITH cte AS (SELECT c FROM privilege__column_masking_cte.t_src)
+SELECT c FROM cte ORDER BY c;
+c
+******
+******
+INSERT INTO privilege__column_masking_cte.t_dst WITH cte AS (SELECT c FROM privilege__column_masking_cte.t_src) SELECT c FROM cte;
+Error 8274 (HY000): Access denied to masked column 'c'. Obtain the required privileges and retry.
+# Test that HAVING, ORDER BY use original values while output is masked
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_having;
+CREATE TABLE privilege__column_masking_cte.t_having(category VARCHAR(50), amount INT);
+INSERT INTO privilege__column_masking_cte.t_having VALUES ('A', 100), ('B', 200), ('C', 300);
+CREATE MASKING POLICY p_having ON privilege__column_masking_cte.t_having(category)
+AS MASK_FULL(category, '*') ENABLE;
+# Test: HAVING clause should use original values for comparison
+WITH cte AS (SELECT category, amount FROM privilege__column_masking_cte.t_having)
+SELECT category, SUM(amount) FROM cte GROUP BY category HAVING category > 'A';
+category	SUM(amount)
+*	300
+*	200
+# Test: ORDER BY should use original values for sorting
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_orderby;
+CREATE TABLE privilege__column_masking_cte.t_orderby(id INT, val VARCHAR(20));
+INSERT INTO privilege__column_masking_cte.t_orderby VALUES (1, 'apple'), (2, 'banana'), (3, 'cherry');
+CREATE MASKING POLICY p_orderby ON privilege__column_masking_cte.t_orderby(val)
+AS MASK_FULL(val, '*') ENABLE;
+WITH cte AS (SELECT id, val FROM privilege__column_masking_cte.t_orderby)
+SELECT id FROM cte ORDER BY val;
+id
+1
+2
+3
+# Test CTE referenced multiple times - should work consistently
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_multi;
+CREATE TABLE privilege__column_masking_cte.t_multi(id INT, value VARCHAR(20));
+INSERT INTO privilege__column_masking_cte.t_multi VALUES (1, 'data1'), (2, 'data2');
+CREATE MASKING POLICY p_multi ON privilege__column_masking_cte.t_multi(value)
+AS MASK_FULL(value, '*') ENABLE;
+# Reference CTE twice in same query
+WITH cte AS (SELECT value FROM privilege__column_masking_cte.t_multi)
+SELECT a.value, b.value FROM cte a JOIN cte b ON a.value = b.value ORDER BY a.value;
+value	value
+*****	*****
+*****	*****
+# Test CTE with current_role() in masking expression
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_role;
+DROP USER IF EXISTS cte_role_user;
+DROP ROLE IF EXISTS cte_unmask_role;
+CREATE TABLE privilege__column_masking_cte.t_role(id INT, data VARCHAR(20));
+INSERT INTO privilege__column_masking_cte.t_role VALUES (1, 'sensitive'), (2, 'public');
+CREATE USER cte_role_user;
+CREATE ROLE cte_unmask_role;
+GRANT CREATE, DROP, SELECT, UPDATE, DELETE, INSERT ON privilege__column_masking_cte.* TO cte_role_user;
+GRANT cte_unmask_role TO cte_role_user;
+CREATE MASKING POLICY p_role_cte ON privilege__column_masking_cte.t_role(data)
+AS CASE WHEN current_role() != 'NONE' THEN data ELSE MASK_FULL(data, '*') END ENABLE;
+# Test 1: Default role (NONE) - should show masked
+WITH cte AS (SELECT id, data FROM privilege__column_masking_cte.t_role)
+SELECT data FROM cte ORDER BY id;
+data
+*********
+******
+# Test 2: After SET ROLE - should show unmasked
+SET ROLE cte_unmask_role;
+WITH cte AS (SELECT id, data FROM privilege__column_masking_cte.t_role)
+SELECT data FROM cte ORDER BY id;
+data
+sensitive
+public
+# Test 3: Back to NONE - should show masked again
+SET ROLE NONE;
+WITH cte AS (SELECT id, data FROM privilege__column_masking_cte.t_role)
+SELECT data FROM cte ORDER BY id;
+data
+*********
+******
+# Test CTE with MASK_PARTIAL function
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_partial;
+CREATE TABLE privilege__column_masking_cte.t_partial(id INT, email VARCHAR(100));
+INSERT INTO privilege__column_masking_cte.t_partial
+VALUES (1, 'alice@example.com'), (2, 'bob@example.com'), (3, 'charlie@example.com');
+CREATE MASKING POLICY p_partial ON privilege__column_masking_cte.t_partial(email)
+AS MASK_PARTIAL(email, 1, 2, '*') ENABLE;
+# MASK_PARTIAL keeps first 2 characters, masks rest with '*'
+WITH cte AS (SELECT id, email FROM privilege__column_masking_cte.t_partial)
+SELECT email FROM cte ORDER BY id;
+email
+a**************om
+b************om
+c****************om
+# ORDER BY should use original email for sorting
+WITH cte AS (SELECT id, email FROM privilege__column_masking_cte.t_partial)
+SELECT id FROM cte ORDER BY email;
+id
+1
+2
+3
+# Test CTE with CONCAT masking expression
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_concat;
+CREATE TABLE privilege__column_masking_cte.t_concat(id INT, val VARCHAR(20));
+INSERT INTO privilege__column_masking_cte.t_concat VALUES (1, 'a'), (2, 'b'), (3, 'c');
+CREATE MASKING POLICY p_concat ON privilege__column_masking_cte.t_concat(val)
+AS CONCAT('***', val) ENABLE;
+WITH cte AS (SELECT id, val FROM privilege__column_masking_cte.t_concat)
+SELECT val FROM cte ORDER BY id;
+val
+***a
+***b
+***c
+# ORDER BY should use original val for sorting
+WITH cte AS (SELECT id, val FROM privilege__column_masking_cte.t_concat)
+SELECT id FROM cte ORDER BY val DESC;
+id
+3
+2
+1
+# Test that masking works with recursive CTE
+# NOTE: Recursive CTE with masking is currently not supported in TiDB
+# This test case is disabled until the issue is resolved
+DROP USER IF EXISTS cte_role_user;
+DROP ROLE IF EXISTS cte_unmask_role;
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_src;
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_join;
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_dst;
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_having;
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_orderby;
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_multi;
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_role;
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_partial;
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_concat;
+DROP TABLE IF EXISTS privilege__column_masking_cte.t_tree;
diff --git a/tests/integrationtest/t/privilege/column_masking_cte.test b/tests/integrationtest/t/privilege/column_masking_cte.test
