Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them

Peter Eisentraut <peter@eisentraut.org>

From: Peter Eisentraut <peter@eisentraut.org>
To: Feike Steenbergen <feikesteenbergen@gmail.com>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2025-06-05T10:49:08Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Restrict virtual columns to use built-in functions and types

  2. Fix virtual generated column type checking for ALTER TABLE

  3. Expand virtual generated columns in the planner

Attachments

On 23.05.25 10:43, Feike Steenbergen wrote:
> Attached is a sample exploit, that achieves this, key components:
> 
> - the GENERATED column uses a user defined immutable function
> - this immutable function cannot ALTER ROLE (needs volatile)
> - therefore this immutable function calls a volatile function
> - the volatile function can contain any security exploit

I propose to address this by not allowing the use of user-defined 
functions in generation expressions for now.  The attached patch 
implements this.  This assumes that all built-in functions are 
trustworthy, for this purpose, which seems likely true and likely desirable.

I think the feature is still useful like that, and this approach 
provides a path to add new functionality in the future that grows this 
set of allowed functions, for example by allowing some configurable set 
of "trusted" functions or whatever.