Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them
Peter Eisentraut <peter@eisentraut.org>
From: Peter Eisentraut <peter@eisentraut.org>
To: Feike Steenbergen <feikesteenbergen@gmail.com>,
PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2025-06-05T10:49:08Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Restrict virtual columns to use built-in functions and types
- 0cd69b3d7ef3 18.0 landed
-
Fix virtual generated column type checking for ALTER TABLE
- 49fe1c83ecf3 18.0 landed
-
Expand virtual generated columns in the planner
- 1e4351af329f 18.0 cited
Attachments
- 0001-Restrict-virtual-columns-to-use-built-in-functions.patch (text/plain) patch 0001
On 23.05.25 10:43, Feike Steenbergen wrote: > Attached is a sample exploit, that achieves this, key components: > > - the GENERATED column uses a user defined immutable function > - this immutable function cannot ALTER ROLE (needs volatile) > - therefore this immutable function calls a volatile function > - the volatile function can contain any security exploit I propose to address this by not allowing the use of user-defined functions in generation expressions for now. The attached patch implements this. This assumes that all built-in functions are trustworthy, for this purpose, which seems likely true and likely desirable. I think the feature is still useful like that, and this approach provides a path to add new functionality in the future that grows this set of allowed functions, for example by allowing some configurable set of "trusted" functions or whatever.