You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@madlib.apache.org by GitBox <gi...@apache.org> on 2021/03/04 02:08:06 UTC
[GitHub] [madlib] reductionista commented on a change in pull request #554: DL: Check if the owner of the object table is a superuser
reductionista commented on a change in pull request #554:
URL: https://github.com/apache/madlib/pull/554#discussion_r586978514
##########
File path: src/ports/postgres/modules/utilities/utilities.py_in
##########
@@ -775,6 +775,17 @@ def is_superuser(user):
return plpy.execute("SELECT rolsuper FROM pg_catalog.pg_roles "\
"WHERE rolname = '{0}'".format(user))[0]['rolsuper']
+def get_table_owner(schema_table):
+
+ split_table = schema_table.split(".",1)
+ schema = split_table[0]
Review comment:
I think we need to be more careful here.
Let's say there is a custom function table an admin created called `madlib.custom_functions`
I think I see a loophole in the way `get_table_ower` is implemented which allows any ordinary user to gain admin access.
Steps:
1. User creates a table in public schema named "madlib.custom_functions.haha", filling it with their own malicious custom functions.
2. User sets search_path=madlib,public
3. Malicious user passes object_table='madlib.custom_functions.haha' to MADlib function
Seems like this would pass the security check, and then proceed to load the custom functions from the user's table instead of the admin's table.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org