Home > mailing lists

Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them - Mailing list pgsql-hackers

From	Feike Steenbergen
Subject	Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them
Date	May 24 09:38:50
Msg-id	CAK_s-G0qAbqJqJ_Ufs3yrKLFNFr-RimmOrLUuA+pOVdHNpHpZQ@mail.gmail.com Whole thread Raw
In response to	Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them (jian he <jian.universality@gmail.com>)
List	pgsql-hackers

Tree view

On Fri, 23 May 2025 at 14:48, jian he <jian.universality@gmail.com> wrote:
> when you mark it as IMMUTABLE, postgres think it's IMMUTABLE, but in this case
> exploit_generated.exploit(i int) clearly is not an IMMUTABLE function.
>
> Only IMMUTABLE functions are allowed in generated expressions,
> but you can still misuse it by wrongly tagging the function as IMMUTABLE.

Yeah, I'm quite aware that the pattern used in the example isn't what one
*should* be doing. However, the problem with the exploit that it *could* be
done this way.

The loophole is this:

- the generated virtual column can use a user-defined function
- when running SELECT against that column by a superuser
the function is called within the context of a superuser
- this in turn allows the regular user to run any code within
the context of superuser

pgsql-hackers by date:

From: Amit Kapila
Date: 24 May, 08:57:05
Subject: Re: Random subscription 021_twophase test failure on kestrel

From: Álvaro Herrera
Date: 24 May, 12:10:44
Subject: Re: MERGE issues around inheritance

Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them - Mailing list pgsql-hackers

Previous

Next