Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them

Feike Steenbergen <feikesteenbergen@gmail.com>

From: Feike Steenbergen <feikesteenbergen@gmail.com>
To: jian he <jian.universality@gmail.com>
Cc: PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2025-05-24T06:38:50Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Restrict virtual columns to use built-in functions and types

  2. Fix virtual generated column type checking for ALTER TABLE

  3. Expand virtual generated columns in the planner

On Fri, 23 May 2025 at 14:48, jian he <jian.universality@gmail.com> wrote:
> when you mark it as IMMUTABLE, postgres think it's IMMUTABLE, but in this
case
> exploit_generated.exploit(i int) clearly is not an IMMUTABLE function.
>
> Only IMMUTABLE functions are allowed in generated expressions,
> but you can still misuse it by wrongly tagging the function as IMMUTABLE.

Yeah, I'm quite aware that the pattern used in the example isn't what one
*should* be doing. However, the problem with the exploit that it *could* be
done this way.

The loophole is this:

- the generated virtual column can use a user-defined function
- when running SELECT against that column by a superuser
  the function is called within the context of a superuser
- this in turn allows the regular user to run any code within
  the context of superuser