Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add test for security definer functions #1461

Merged
merged 2 commits into from
Feb 25, 2025
Merged

feat: add test for security definer functions #1461

merged 2 commits into from
Feb 25, 2025

Conversation

staaldraad
Copy link
Contributor

@staaldraad staaldraad commented Feb 24, 2025
edited by doublethink
Loading

What kind of change does this PR introduce?

test

What is the new behavior?

Adds security / regression checks to ensure new security definer functions aren't introduced without first being vetted.

Additional context

Checks all extensions installed, if a new extension is added, it should be present in prime.sql. If a new security definer function is introduced, it must be vetted and if safe, added to the output in security.out

Fixes SEC-204

@staaldraad staaldraad requested a review from a team as a code owner February 24, 2025 13:09
@linear Linear
Copy link

linear bot commented Feb 24, 2025

PSQL-253 create test to detect new security definer functions

darora
darora approved these changes Feb 24, 2025
View reviewed changes
Copy link
Contributor

@darora darora left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm but should also get a +1 from @supabase/postgres

@samrose
Copy link
Collaborator

samrose commented Feb 24, 2025

@staaldraad I am re-running the failed testinfra test, as it appears to have just been a connectivity issue on that. Once it passes, I'll add an approval on this one. Thank you!

@samrose
Copy link
Collaborator

samrose commented Feb 24, 2025

@staaldraad all checks passing!

@samrose samrose self-requested a review February 24, 2025 18:34
@imor
Copy link
Contributor

imor commented Feb 25, 2025

Maybe also prefix the function names with schema name to make it absolutely clear which function are security definers.

@staaldraad staaldraad merged commit 9d7b75c into develop Feb 25, 2025
11 checks passed
@staaldraad staaldraad deleted the etienne/PSQL-253 branch February 25, 2025 09:59
@linear Linear
Copy link

linear bot commented Feb 26, 2025

SEC-204 Explore automation to detect these priv escalation paths

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samrose samrose samrose approved these changes

@darora darora darora approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@staaldraad @samrose @imor @darora