Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them
Pavel Stehule <pavel.stehule@gmail.com>
From: Pavel Stehule <pavel.stehule@gmail.com>
To: Peter Eisentraut <peter@eisentraut.org>
Cc: Feike Steenbergen <feikesteenbergen@gmail.com>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2025-06-05T11:33:42Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Restrict virtual columns to use built-in functions and types
- 0cd69b3d7ef3 18.0 landed
-
Fix virtual generated column type checking for ALTER TABLE
- 49fe1c83ecf3 18.0 landed
-
Expand virtual generated columns in the planner
- 1e4351af329f 18.0 cited
čt 5. 6. 2025 v 12:49 odesílatel Peter Eisentraut <peter@eisentraut.org> napsal: > On 23.05.25 10:43, Feike Steenbergen wrote: > > Attached is a sample exploit, that achieves this, key components: > > > > - the GENERATED column uses a user defined immutable function > > - this immutable function cannot ALTER ROLE (needs volatile) > > - therefore this immutable function calls a volatile function > > - the volatile function can contain any security exploit > > I propose to address this by not allowing the use of user-defined > functions in generation expressions for now. The attached patch > implements this. This assumes that all built-in functions are > trustworthy, for this purpose, which seems likely true and likely > desirable. > > I think the feature is still useful like that, and this approach > provides a path to add new functionality in the future that grows this > set of allowed functions, for example by allowing some configurable set > of "trusted" functions or whatever. > +1 Regards Pavel