Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them

Pavel Stehule <pavel.stehule@gmail.com>

From: Pavel Stehule <pavel.stehule@gmail.com>
To: Peter Eisentraut <peter@eisentraut.org>
Cc: Feike Steenbergen <feikesteenbergen@gmail.com>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2025-06-05T11:33:42Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Restrict virtual columns to use built-in functions and types

  2. Fix virtual generated column type checking for ALTER TABLE

  3. Expand virtual generated columns in the planner

čt 5. 6. 2025 v 12:49 odesílatel Peter Eisentraut <peter@eisentraut.org>
napsal:

> On 23.05.25 10:43, Feike Steenbergen wrote:
> > Attached is a sample exploit, that achieves this, key components:
> >
> > - the GENERATED column uses a user defined immutable function
> > - this immutable function cannot ALTER ROLE (needs volatile)
> > - therefore this immutable function calls a volatile function
> > - the volatile function can contain any security exploit
>
> I propose to address this by not allowing the use of user-defined
> functions in generation expressions for now.  The attached patch
> implements this.  This assumes that all built-in functions are
> trustworthy, for this purpose, which seems likely true and likely
> desirable.
>
> I think the feature is still useful like that, and this approach
> provides a path to add new functionality in the future that grows this
> set of allowed functions, for example by allowing some configurable set
> of "trusted" functions or whatever.
>

+1

Regards

Pavel