From a26236cc7b2b9dba75dc303eab975c756f5b6436 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Thu, 20 Feb 2025 17:25:05 +0100 Subject: [PATCH 1/2] feat: add test for security definer functions --- nix/tests/expected/security.out | 30 ++++++++++++++++++++++++++++++ nix/tests/sql/security.sql | 9 +++++++++ 2 files changed, 39 insertions(+) create mode 100644 nix/tests/expected/security.out create mode 100644 nix/tests/sql/security.sql diff --git a/nix/tests/expected/security.out b/nix/tests/expected/security.out new file mode 100644 index 000000000..5fbacab69 --- /dev/null +++ b/nix/tests/expected/security.out @@ -0,0 +1,30 @@ +-- get a list of security definer functions owned by supabase_admin +-- this list should be vetted to ensure the functions are safe to use as security definer +select + p.proname +from pg_catalog.pg_proc p + left join pg_catalog.pg_namespace n ON n.oid = p.pronamespace +where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin') + and p.prosecdef = true +order by 1; + proname +-------------------------------- + dblink_connect_u + dblink_connect_u + disable_security_label_trigger + enable_security_label_trigger + get_key_by_id + get_key_by_name + get_named_keys + get_schema_version + increment_schema_version + mask_role + pgaudit_ddl_command_end + pgaudit_sql_drop + repack_trigger + st_estimatedextent + st_estimatedextent + st_estimatedextent + update_mask +(17 rows) + diff --git a/nix/tests/sql/security.sql b/nix/tests/sql/security.sql new file mode 100644 index 000000000..09b17f9f0 --- /dev/null +++ b/nix/tests/sql/security.sql @@ -0,0 +1,9 @@ +-- get a list of security definer functions owned by supabase_admin +-- this list should be vetted to ensure the functions are safe to use as security definer +select + p.proname +from pg_catalog.pg_proc p + left join pg_catalog.pg_namespace n ON n.oid = p.pronamespace +where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin') + and p.prosecdef = true +order by 1; From 4885be7fdf237eb0684990b94521a097fa28c8c0 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Tue, 25 Feb 2025 07:53:38 +0100 Subject: [PATCH 2/2] chore: include nspname to help relate functions to schema/extensions --- nix/tests/expected/security.out | 42 ++++++++++++++++----------------- nix/tests/sql/security.sql | 4 ++-- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/nix/tests/expected/security.out b/nix/tests/expected/security.out index 5fbacab69..58207b605 100644 --- a/nix/tests/expected/security.out +++ b/nix/tests/expected/security.out @@ -1,30 +1,30 @@ -- get a list of security definer functions owned by supabase_admin -- this list should be vetted to ensure the functions are safe to use as security definer select - p.proname + n.nspname, p.proname from pg_catalog.pg_proc p left join pg_catalog.pg_namespace n ON n.oid = p.pronamespace where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin') and p.prosecdef = true -order by 1; - proname --------------------------------- - dblink_connect_u - dblink_connect_u - disable_security_label_trigger - enable_security_label_trigger - get_key_by_id - get_key_by_name - get_named_keys - get_schema_version - increment_schema_version - mask_role - pgaudit_ddl_command_end - pgaudit_sql_drop - repack_trigger - st_estimatedextent - st_estimatedextent - st_estimatedextent - update_mask +order by 1,2; + nspname | proname +----------+-------------------------------- + graphql | get_schema_version + graphql | increment_schema_version + pgsodium | disable_security_label_trigger + pgsodium | enable_security_label_trigger + pgsodium | get_key_by_id + pgsodium | get_key_by_name + pgsodium | get_named_keys + pgsodium | mask_role + pgsodium | update_mask + public | dblink_connect_u + public | dblink_connect_u + public | pgaudit_ddl_command_end + public | pgaudit_sql_drop + public | st_estimatedextent + public | st_estimatedextent + public | st_estimatedextent + repack | repack_trigger (17 rows) diff --git a/nix/tests/sql/security.sql b/nix/tests/sql/security.sql index 09b17f9f0..fb72f0e69 100644 --- a/nix/tests/sql/security.sql +++ b/nix/tests/sql/security.sql @@ -1,9 +1,9 @@ -- get a list of security definer functions owned by supabase_admin -- this list should be vetted to ensure the functions are safe to use as security definer select - p.proname + n.nspname, p.proname from pg_catalog.pg_proc p left join pg_catalog.pg_namespace n ON n.oid = p.pronamespace where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin') and p.prosecdef = true -order by 1; +order by 1,2;