Check if schema already exists before create extension

If the schema aiven_extras already exists and belongs to an unprivileged user before adding the extension, it’s possible to abuse it to run some queries in the context of the superuser. [BF-2375]
aiven · Mar 7, 2024 · 9a037a4 · 9a037a4
1 parent 1504010
commit 9a037a4
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/sql/aiven_extras.sql b/sql/aiven_extras.sql
@@ -1,3 +1,15 @@
+-- Check that if schema owned by other already exist
+DO LANGUAGE plpgsql
+$$
+BEGIN
+    IF EXISTS (
+        SELECT * FROM information_schema.schemata WHERE schema_name = 'aiven_extras' AND schema_owner <> current_user
+    ) THEN
+        RAISE EXCEPTION 'Cannot create extension, schema ''aiven_extras'' owned by other user already exists';
+    END IF;
+END
+$$;
+
 DO LANGUAGE plpgsql
 $OUTER$
 DECLARE