Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'

local_infile flag controls LOAD DATA statement. The local version of this statement has potential security issues and therefore it should not be used. Setting local_infile database flag to off will explicitly cause the server to refuse LOAD DATA LOCAL command. For more information: https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html

Risk Level: Medium
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.VLN.02
Covered by Spectral: Yes
Category: Database


CloudSql where databaseVersion like 'mysql%' should have settings.databaseFlags contain [ name like 'local_infile' and value like 'off' ]


Attention! Doing the steps below will restart your machine.

From Portal

  1. Navigate to the instance where the flag needs to be set: https://console.cloud.google.com/sql/instances
  2. Click Edit Configurations
  3. Under flags section, choose add flag, look for local_infile and choose value - off.
  4. Save and review your changes

From TF
Set the flag 'local_infile' to 'off':

resource 'google_sql_database_instance' 'default' {
	settings {
		database_flags {
			name  = 'local_infile'
			value = 'off'

From Command Line

  1. First retrieve all existing flags values:
gcloud sql instances describe INSTANCE_NAME
  1. Add all existing flags and their value to the patch request - otherwise they will get set to their default value.
gcloud sql instances patch INSTANCE_NAME --database-flags (ExistingFlag1=Value1,ExistingFlag2=Value2,...),local_infile=off


  1. https://cloud.google.com/sdk/gcloud/reference/sql/instances/describe
  2. https://cloud.google.com/sdk/gcloud/reference/sql/instances/patch#--database-flags
  3. https://cloud.google.com/sql/docs/mysql/flags
  4. https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5