microsoft
diff --git a/‎SPECS/vitess/CVE-2026-27965.patch‎
Lines changed: 298 additions & 0 deletions b/‎SPECS/vitess/CVE-2026-27965.patch‎
Lines changed: 298 additions & 0 deletions
@@ -0,0 +1,298 @@
+From 4c0173293907af9cb942a6683c465c3f1e9fdb5c Mon Sep 17 00:00:00 2001
+From: Tim Vaillancourt <tim@timvaillancourt.com>
+Date: Tue, 24 Feb 2026 20:21:37 +0100
+Subject: [PATCH] Restore: make loading compressor commands from `MANIFEST`
+ opt-in (#19460)
+
+Signed-off-by: Tim Vaillancourt <tim@timvaillancourt.com>
+Co-authored-by: Mohamed Hamza <mhamza@fastmail.com>
+
+Upstream Patch reference: https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c.patch
+---
+ go/flags/endtoend/vtbackup.txt                |  1 +
+ go/flags/endtoend/vtcombo.txt                 |  1 +
+ go/flags/endtoend/vttablet.txt                |  1 +
+ go/flags/endtoend/vttestserver.txt            |  1 +
+ .../backup/vtctlbackup/backup_test.go         |  1 +
+ .../backup/vtctlbackup/backup_utils.go        |  4 +
+ .../backup/xtrabackup/xtrabackup_test.go      |  1 +
+ go/vt/mysqlctl/builtinbackupengine.go         |  5 +-
+ go/vt/mysqlctl/compression.go                 | 18 +++-
+ .../compression_external_decompressor_test.go | 93 +++++++++++++++++++
+ go/vt/mysqlctl/xtrabackupengine.go            |  5 +-
+ 11 files changed, 122 insertions(+), 9 deletions(-)
+ create mode 100644 go/vt/mysqlctl/compression_external_decompressor_test.go
+
+diff --git a/go/flags/endtoend/vtbackup.txt b/go/flags/endtoend/vtbackup.txt
+index 002f4af..a2bc014 100644
+--- a/go/flags/endtoend/vtbackup.txt
++++ b/go/flags/endtoend/vtbackup.txt
+@@ -124,6 +124,7 @@ Flags:
+       --emit_stats                                                  If set, emit stats to push-based monitoring and stats backends
+       --external-compressor string                                  command with arguments to use when compressing a backup.
+       --external-compressor-extension string                        extension to use when using an external compressor.
++      --external-decompressor-use-manifest                          allows the decompressor command stored in the backup manifest to be used at restore time. Enabling this is a security risk: an attacker with write access to the backup storage could modify the manifest to execute arbitrary commands on the tablet as the Vitess user. NOT RECOMMENDED.
+       --external-decompressor string                                command with arguments to use when decompressing a backup.
+       --file_backup_storage_root string                             Root directory for the file backup storage.
+       --gcs_backup_storage_bucket string                            Google Cloud Storage bucket to use for backups.
+diff --git a/go/flags/endtoend/vtcombo.txt b/go/flags/endtoend/vtcombo.txt
+index 8b62d4e..a8c9ace 100644
+--- a/go/flags/endtoend/vtcombo.txt
++++ b/go/flags/endtoend/vtcombo.txt
+@@ -135,6 +135,7 @@ Flags:
+       --external-compressor string                                       command with arguments to use when compressing a backup.
+       --external-compressor-extension string                             extension to use when using an external compressor.
+       --external-decompressor string                                     command with arguments to use when decompressing a backup.
++      --external-decompressor-use-manifest                               allows the decompressor command stored in the backup manifest to be used at restore time. Enabling this is a security risk: an attacker with write access to the backup storage could modify the manifest to execute arbitrary commands on the tablet as the Vitess user. NOT RECOMMENDED.
+       --external_topo_server                                             Should vtcombo use an external topology server instead of starting its own in-memory topology server. If true, vtcombo will use the flags defined in topo/server.go to open topo server
+       --foreign_key_mode string                                          This is to provide how to handle foreign key constraint in create/alter table. Valid values are: allow, disallow (default "allow")
+       --gate_query_cache_memory int                                      gate server query cache size in bytes, maximum amount of memory to be cached. vtgate analyzes every incoming query and generate a query plan, these plans are being cached in a lru cache. This config controls the capacity of the lru cache. (default 33554432)
+diff --git a/go/flags/endtoend/vttablet.txt b/go/flags/endtoend/vttablet.txt
+index 7eae51c..a87c0c0 100644
+--- a/go/flags/endtoend/vttablet.txt
++++ b/go/flags/endtoend/vttablet.txt
+@@ -159,6 +159,7 @@ Flags:
+       --external-compressor string                                       command with arguments to use when compressing a backup.
+       --external-compressor-extension string                             extension to use when using an external compressor.
+       --external-decompressor string                                     command with arguments to use when decompressing a backup.
++      --external-decompressor-use-manifest                               allows the decompressor command stored in the backup manifest to be used at restore time. Enabling this is a security risk: an attacker with write access to the backup storage could modify the manifest to execute arbitrary commands on the tablet as the Vitess user. NOT RECOMMENDED.
+       --file_backup_storage_root string                                  Root directory for the file backup storage.
+       --filecustomrules string                                           file based custom rule path
+       --filecustomrules_watch                                            set up a watch on the target file and reload query rules when it changes
+diff --git a/go/flags/endtoend/vttestserver.txt b/go/flags/endtoend/vttestserver.txt
+index 72d9d0b..f0803ba 100644
+--- a/go/flags/endtoend/vttestserver.txt
++++ b/go/flags/endtoend/vttestserver.txt
+@@ -39,6 +39,7 @@ Flags:
+       --external-compressor string                                       command with arguments to use when compressing a backup.
+       --external-compressor-extension string                             extension to use when using an external compressor.
+       --external-decompressor string                                     command with arguments to use when decompressing a backup.
++      --external-decompressor-use-manifest                               allows the decompressor command stored in the backup manifest to be used at restore time. Enabling this is a security risk: an attacker with write access to the backup storage could modify the manifest to execute arbitrary commands on the tablet as the Vitess user. NOT RECOMMENDED.
+       --external_topo_global_root string                                 the path of the global topology data in the global topology server for vtcombo process
+       --external_topo_global_server_address string                       the address of the global topology server for vtcombo process
+       --external_topo_implementation string                              the topology implementation to use for vtcombo process
+diff --git a/go/test/endtoend/backup/vtctlbackup/backup_test.go b/go/test/endtoend/backup/vtctlbackup/backup_test.go
+index 92c7a2f..154f2d1 100644
+--- a/go/test/endtoend/backup/vtctlbackup/backup_test.go
++++ b/go/test/endtoend/backup/vtctlbackup/backup_test.go
+@@ -57,6 +57,7 @@ func TestBuiltinBackupWithExternalZstdCompressionAndManifestedDecompressor(t *te
+ 		CompressorEngineName:            "external",
+ 		ExternalCompressorCmd:           "zstd",
+ 		ExternalCompressorExt:           ".zst",
++		ExternalDecompressorUseManifest: true,
+ 		ManifestExternalDecompressorCmd: "zstd -d",
+ 	}
+ 
+diff --git a/go/test/endtoend/backup/vtctlbackup/backup_utils.go b/go/test/endtoend/backup/vtctlbackup/backup_utils.go
+index a70d180..3823eef 100644
+--- a/go/test/endtoend/backup/vtctlbackup/backup_utils.go
++++ b/go/test/endtoend/backup/vtctlbackup/backup_utils.go
+@@ -97,6 +97,7 @@ type CompressionDetails struct {
+ 	ExternalCompressorCmd           string
+ 	ExternalCompressorExt           string
+ 	ExternalDecompressorCmd         string
++	ExternalDecompressorUseManifest bool
+ 	ManifestExternalDecompressorCmd string
+ }
+ 
+@@ -287,6 +288,9 @@ func getCompressorArgs(cDetails *CompressionDetails) []string {
+ 	if cDetails.ExternalDecompressorCmd != "" {
+ 		args = append(args, fmt.Sprintf("--external-decompressor=%s", cDetails.ExternalDecompressorCmd))
+ 	}
++	if cDetails.ExternalDecompressorUseManifest {
++		args = append(args, "--external-decompressor-use-manifest")
++	}
+ 	if cDetails.ManifestExternalDecompressorCmd != "" {
+ 		args = append(args, fmt.Sprintf("--manifest-external-decompressor=%s", cDetails.ManifestExternalDecompressorCmd))
+ 	}
+diff --git a/go/test/endtoend/backup/xtrabackup/xtrabackup_test.go b/go/test/endtoend/backup/xtrabackup/xtrabackup_test.go
+index 3402a17..e18f229 100644
+--- a/go/test/endtoend/backup/xtrabackup/xtrabackup_test.go
++++ b/go/test/endtoend/backup/xtrabackup/xtrabackup_test.go
+@@ -59,6 +59,7 @@ func TestXtrabackupWithExternalZstdCompressionAndManifestedDecompressor(t *testi
+ 		CompressorEngineName:            "external",
+ 		ExternalCompressorCmd:           "zstd",
+ 		ExternalCompressorExt:           ".zst",
++		ExternalDecompressorUseManifest: true,
+ 		ManifestExternalDecompressorCmd: "zstd -d",
+ 	}
+ 
+diff --git a/go/vt/mysqlctl/builtinbackupengine.go b/go/vt/mysqlctl/builtinbackupengine.go
+index 94ed7bd..fcf7521 100644
+--- a/go/vt/mysqlctl/builtinbackupengine.go
++++ b/go/vt/mysqlctl/builtinbackupengine.go
+@@ -1120,10 +1120,7 @@ func (be *BuiltinBackupEngine) restoreFile(ctx context.Context, params RestorePa
+ 			// for backward compatibility
+ 			deCompressionEngine = PgzipCompressor
+ 		}
+-		externalDecompressorCmd := ExternalDecompressorCmd
+-		if externalDecompressorCmd == "" && bm.ExternalDecompressor != "" {
+-			externalDecompressorCmd = bm.ExternalDecompressor
+-		}
++		externalDecompressorCmd := resolveExternalDecompressor(bm.ExternalDecompressor)
+ 		if externalDecompressorCmd != "" {
+ 			if deCompressionEngine == ExternalCompressor {
+ 				deCompressionEngine = externalDecompressorCmd
+diff --git a/go/vt/mysqlctl/compression.go b/go/vt/mysqlctl/compression.go
+index c2d3cbb..5737b70 100644
+--- a/go/vt/mysqlctl/compression.go
++++ b/go/vt/mysqlctl/compression.go
+@@ -52,9 +52,10 @@ var (
+ 	ExternalCompressorCmd           string
+ 	ExternalCompressorExt           string
+ 	ExternalDecompressorCmd         string
++	ExternalDecompressorUseManifest bool
+ 	ManifestExternalDecompressorCmd string
+ 
+-	errUnsupportedDeCompressionEngine = errors.New("unsupported engine in MANIFEST. You need to provide --external-decompressor if using 'external' compression engine")
++	errUnsupportedDeCompressionEngine = errors.New("unsupported engine in MANIFEST. You need to provide --external-decompressor if using 'external' compression engine. Alternatively, set --external-decompressor-use-manifest to use the decompressor command from the backup manifest, but this is NOT RECOMMENDED as it is a security risk")
+ 	errUnsupportedCompressionEngine   = errors.New("unsupported engine value for --compression-engine-name. supported values are 'external', 'pgzip', 'pargzip', 'zstd', 'lz4'")
+ 
+ 	// this is used by getEngineFromExtension() to figure out which engine to use in case the user didn't specify
+@@ -77,6 +78,7 @@ func registerBackupCompressionFlags(fs *pflag.FlagSet) {
+ 	fs.StringVar(&ExternalCompressorCmd, "external-compressor", ExternalCompressorCmd, "command with arguments to use when compressing a backup.")
+ 	fs.StringVar(&ExternalCompressorExt, "external-compressor-extension", ExternalCompressorExt, "extension to use when using an external compressor.")
+ 	fs.StringVar(&ExternalDecompressorCmd, "external-decompressor", ExternalDecompressorCmd, "command with arguments to use when decompressing a backup.")
++	fs.BoolVar(&ExternalDecompressorUseManifest, "external-decompressor-use-manifest", ExternalDecompressorUseManifest, "allows the decompressor command stored in the backup manifest to be used at restore time. Enabling this is a security risk: an attacker with write access to the backup storage could modify the manifest to execute arbitrary commands on the tablet as the Vitess user. NOT RECOMMENDED.")
+ 	fs.StringVar(&ManifestExternalDecompressorCmd, "manifest-external-decompressor", ManifestExternalDecompressorCmd, "command with arguments to store in the backup manifest when compressing a backup with an external compression engine.")
+ }
+ 
+@@ -91,6 +93,20 @@ func getExtensionFromEngine(engine string) (string, error) {
+ 	return "", fmt.Errorf("%w %q", errUnsupportedCompressionEngine, engine)
+ }
+ 
++// resolveExternalDecompressor returns the external decompressor command to use
++// at restore time. The CLI flag (--external-decompressor) takes precedence. The
++// backup manifest value is only used when --external-decompressor-use-manifest
++// is explicitly set to true.
++func resolveExternalDecompressor(manifestDecompressor string) string {
++	if ExternalDecompressorCmd != "" {
++		return ExternalDecompressorCmd
++	}
++	if ExternalDecompressorUseManifest && manifestDecompressor != "" {
++		return manifestDecompressor
++	}
++	return ""
++}
++
+ // Validates if the external decompressor exists and return its path.
+ func validateExternalCmd(cmd string) (string, error) {
+ 	if cmd == "" {
+diff --git a/go/vt/mysqlctl/compression_external_decompressor_test.go b/go/vt/mysqlctl/compression_external_decompressor_test.go
+new file mode 100644
+index 0000000..fd4732a
+--- /dev/null
++++ b/go/vt/mysqlctl/compression_external_decompressor_test.go
+@@ -0,0 +1,93 @@
++/*
++Copyright 2026 The Vitess Authors.
++
++Licensed under the Apache License, Version 2.0 (the "License");
++you may not use this file except in compliance with the License.
++You may obtain a copy of the License at
++
++	http://www.apache.org/licenses/LICENSE-2.0
++
++Unless required by applicable law or agreed to in writing, software
++distributed under the License is distributed on an "AS IS" BASIS,
++WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++See the License for the specific language governing permissions and
++limitations under the License.
++*/
++
++package mysqlctl
++
++import (
++	"testing"
++
++	"github.com/stretchr/testify/assert"
++)
++
++func TestResolveExternalDecompressor(t *testing.T) {
++	tests := []struct {
++		name                 string
++		cliDecompressorCmd   string
++		useManifest          bool
++		manifestDecompressor string
++		expected             string
++	}{
++		{
++			name:                 "CLI flag takes precedence over manifest",
++			cliDecompressorCmd:   "zstd -d",
++			useManifest:          true,
++			manifestDecompressor: "gzip -d",
++			expected:             "zstd -d",
++		},
++		{
++			name:                 "CLI flag takes precedence even when use-manifest is false",
++			cliDecompressorCmd:   "zstd -d",
++			useManifest:          false,
++			manifestDecompressor: "gzip -d",
++			expected:             "zstd -d",
++		},
++		{
++			name:                 "manifest used when use-manifest is true and no CLI flag",
++			cliDecompressorCmd:   "",
++			useManifest:          true,
++			manifestDecompressor: "gzip -d",
++			expected:             "gzip -d",
++		},
++		{
++			name:                 "manifest ignored when use-manifest is false",
++			cliDecompressorCmd:   "",
++			useManifest:          false,
++			manifestDecompressor: "gzip -d",
++			expected:             "",
++		},
++		{
++			name:                 "empty when nothing is set",
++			cliDecompressorCmd:   "",
++			useManifest:          false,
++			manifestDecompressor: "",
++			expected:             "",
++		},
++		{
++			name:                 "empty when use-manifest is true but manifest is empty",
++			cliDecompressorCmd:   "",
++			useManifest:          true,
++			manifestDecompressor: "",
++			expected:             "",
++		},
++	}
++
++	for _, tt := range tests {
++		t.Run(tt.name, func(t *testing.T) {
++			origCmd := ExternalDecompressorCmd
++			origAllow := ExternalDecompressorUseManifest
++			t.Cleanup(func() {
++				ExternalDecompressorCmd = origCmd
++				ExternalDecompressorUseManifest = origAllow
++			})
++
++			ExternalDecompressorCmd = tt.cliDecompressorCmd
++			ExternalDecompressorUseManifest = tt.useManifest
++
++			result := resolveExternalDecompressor(tt.manifestDecompressor)
++			assert.Equal(t, tt.expected, result)
++		})
++	}
++}
+diff --git a/go/vt/mysqlctl/xtrabackupengine.go b/go/vt/mysqlctl/xtrabackupengine.go
+index 3f8491f..7552a90 100644
+--- a/go/vt/mysqlctl/xtrabackupengine.go
++++ b/go/vt/mysqlctl/xtrabackupengine.go
+@@ -644,10 +644,7 @@ func (be *XtrabackupEngine) extractFiles(ctx context.Context, logger logutil.Log
+ 				// then we assign the default value of compressionEngine.
+ 				deCompressionEngine = PgzipCompressor
+ 			}
+-			externalDecompressorCmd := ExternalDecompressorCmd
+-			if externalDecompressorCmd == "" && bm.ExternalDecompressor != "" {
+-				externalDecompressorCmd = bm.ExternalDecompressor
+-			}
++			externalDecompressorCmd := resolveExternalDecompressor(bm.ExternalDecompressor)
+ 			if externalDecompressorCmd != "" {
+ 				if deCompressionEngine == ExternalCompressor {
+ 					deCompressionEngine = externalDecompressorCmd
+-- 
+2.43.0
+