Postgres Pro
Downloads
Home   >   mailing lists

Thread: Does NOTIFY leak information?

Does NOTIFY leak information?

From
PG Doc comments form
Date:
The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/17/sql-notify.html
Description:

Hi,

The documentation (https://www.postgresql.org/docs/17/sql-notify.html) for
the NOTIFY command begins with the following statements:

The NOTIFY command sends a notification event together with an optional
“payload” string to each client application that has previously executed
LISTEN channel for the specified channel name in the current database.
Notifications are visible to all users.

I am interpreting this to mean that if I as user A receive a notification to
a channel that I have set up, then user B and user C will also see this
notification, irrespective of their various permissions. Am I understanding
this correctly, and if so, doesn't this qualify as an information leak?

Re: Does NOTIFY leak information?

From
"David G. Johnston"
Date:
On Tuesday, December 3, 2024, PG Doc comments form <noreply@postgresql.org> wrote:

I am interpreting this to mean that if I as user A receive a notification to
a channel that I have set up, then user B and user C will also see this
notification, irrespective of their various permissions. Am I understanding
this correctly, and if so, doesn't this qualify as an information leak?

Maybe, but given that is the explicit design of the feature it isn’t something we are compelled to change.  Don’t put sensitive data in the payload, or just don’t use the feature if the public permission-less broadcast behavior doesn’t work for you.

David J.

Re: Does NOTIFY leak information?

From
Greg Sabino Mullane
Date:
On Wed, Dec 4, 2024 at 8:03 AM PG Doc comments form <noreply@postgresql.org> wrote:
I am interpreting this to mean that if I as user A receive a notification to
a channel that I have set up, then user B and user C will also see this
notification, irrespective of their various permissions. Am I understanding
this correctly, and if so, doesn't this qualify as an information leak?

No: it is a public broadcast, with no permissions implied (or allowed!). However, you can certainly store sensitive information elsewhere (e.g. a table), and use the notification as a way of signalling "hey, check the secure drop box, I just put something inside there"

If you still feel the docs are unclear about this, we are always welcome to wording suggestions. 

Cheers,
Greg