You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
115 lines
3.7 KiB
115 lines
3.7 KiB
1 year ago
|
From ca73753b090c33bc69ce299b4d7fff891a77b8ad Mon Sep 17 00:00:00 2001
|
||
|
From: Tom Lane <tgl@sss.pgh.pa.us>
|
||
|
Date: Mon, 8 May 2023 10:12:44 -0400
|
||
|
Subject: Handle RLS dependencies in inlined set-returning
|
||
|
functions properly.
|
||
|
|
||
|
If an SRF in the FROM clause references a table having row-level
|
||
|
security policies, and we inline that SRF into the calling query,
|
||
|
we neglected to mark the plan as potentially dependent on which
|
||
|
role is executing it. This could lead to later executions in the
|
||
|
same session returning or hiding rows that should have been hidden
|
||
|
or returned instead.
|
||
|
|
||
|
Our thanks to Wolfgang Walther for reporting this problem.
|
||
|
|
||
|
Stephen Frost and Tom Lane
|
||
|
|
||
|
Security: CVE-2023-2455
|
||
|
---
|
||
|
src/backend/optimizer/util/clauses.c | 7 ++++++
|
||
|
src/test/regress/expected/rowsecurity.out | 27 +++++++++++++++++++++++
|
||
|
src/test/regress/sql/rowsecurity.sql | 20 +++++++++++++++++
|
||
|
3 files changed, 54 insertions(+)
|
||
|
|
||
|
diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c
|
||
|
index a9c7bc342e..11269fee3e 100644
|
||
|
--- a/src/backend/optimizer/util/clauses.c
|
||
|
+++ b/src/backend/optimizer/util/clauses.c
|
||
|
@@ -5205,6 +5205,13 @@ inline_set_returning_function(PlannerInfo *root, RangeTblEntry *rte)
|
||
|
*/
|
||
|
record_plan_function_dependency(root, func_oid);
|
||
|
|
||
|
+ /*
|
||
|
+ * We must also notice if the inserted query adds a dependency on the
|
||
|
+ * calling role due to RLS quals.
|
||
|
+ */
|
||
|
+ if (querytree->hasRowSecurity)
|
||
|
+ root->glob->dependsOnRole = true;
|
||
|
+
|
||
|
return querytree;
|
||
|
|
||
|
/* Here if func is not inlinable: release temp memory and return NULL */
|
||
|
diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out
|
||
|
index 38f53ed486..e278346420 100644
|
||
|
--- a/src/test/regress/expected/rowsecurity.out
|
||
|
+++ b/src/test/regress/expected/rowsecurity.out
|
||
|
@@ -4427,6 +4427,33 @@ SELECT * FROM rls_tbl;
|
||
|
|
||
|
DROP TABLE rls_tbl;
|
||
|
RESET SESSION AUTHORIZATION;
|
||
|
+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
|
||
|
+create table rls_t (c text);
|
||
|
+insert into rls_t values ('invisible to bob');
|
||
|
+alter table rls_t enable row level security;
|
||
|
+grant select on rls_t to regress_rls_alice, regress_rls_bob;
|
||
|
+create policy p1 on rls_t for select to regress_rls_alice using (true);
|
||
|
+create policy p2 on rls_t for select to regress_rls_bob using (false);
|
||
|
+create function rls_f () returns setof rls_t
|
||
|
+ stable language sql
|
||
|
+ as $$ select * from rls_t $$;
|
||
|
+prepare q as select current_user, * from rls_f();
|
||
|
+set role regress_rls_alice;
|
||
|
+execute q;
|
||
|
+ current_user | c
|
||
|
+-------------------+------------------
|
||
|
+ regress_rls_alice | invisible to bob
|
||
|
+(1 row)
|
||
|
+
|
||
|
+set role regress_rls_bob;
|
||
|
+execute q;
|
||
|
+ current_user | c
|
||
|
+--------------+---
|
||
|
+(0 rows)
|
||
|
+
|
||
|
+RESET ROLE;
|
||
|
+DROP FUNCTION rls_f();
|
||
|
+DROP TABLE rls_t;
|
||
|
--
|
||
|
-- Clean up objects
|
||
|
--
|
||
|
diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql
|
||
|
index 0fd0cded7d..3d664538a6 100644
|
||
|
--- a/src/test/regress/sql/rowsecurity.sql
|
||
|
+++ b/src/test/regress/sql/rowsecurity.sql
|
||
|
@@ -2127,6 +2127,26 @@ SELECT * FROM rls_tbl;
|
||
|
DROP TABLE rls_tbl;
|
||
|
RESET SESSION AUTHORIZATION;
|
||
|
|
||
|
+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
|
||
|
+create table rls_t (c text);
|
||
|
+insert into rls_t values ('invisible to bob');
|
||
|
+alter table rls_t enable row level security;
|
||
|
+grant select on rls_t to regress_rls_alice, regress_rls_bob;
|
||
|
+create policy p1 on rls_t for select to regress_rls_alice using (true);
|
||
|
+create policy p2 on rls_t for select to regress_rls_bob using (false);
|
||
|
+create function rls_f () returns setof rls_t
|
||
|
+ stable language sql
|
||
|
+ as $$ select * from rls_t $$;
|
||
|
+prepare q as select current_user, * from rls_f();
|
||
|
+set role regress_rls_alice;
|
||
|
+execute q;
|
||
|
+set role regress_rls_bob;
|
||
|
+execute q;
|
||
|
+
|
||
|
+RESET ROLE;
|
||
|
+DROP FUNCTION rls_f();
|
||
|
+DROP TABLE rls_t;
|
||
|
+
|
||
|
--
|
||
|
-- Clean up objects
|
||
|
--
|
||
|
--
|
||
|
2.41.0
|
||
|
|