From bb93ca98d9197f6b35d062c9e10027a7afb9b38f Mon Sep 17 00:00:00 2001 From: Lian Hu Date: Fri, 1 Mar 2024 13:47:44 +0100 Subject: [PATCH] Check if schema already exists before create extension MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the schema aiven_extras already exists and belongs to an unprivileged user before adding the extension, it’s possible to abuse it to run some queries in the context of the superuser. [BF-2375] --- Makefile | 4 ++-- sql/aiven_extras--1.1.11--1.1.12.sql | 1 + sql/aiven_extras.sql | 12 ++++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 sql/aiven_extras--1.1.11--1.1.12.sql diff --git a/Makefile b/Makefile index 84ffa85..e4f366c 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ -short_ver = 1.1.12 -last_ver = 1.1.11 +short_ver = 1.1.13 +last_ver = 1.1.12 long_ver = $(shell git describe --long 2>/dev/null || echo $(short_ver)-0-unknown-g`git describe --always`) generated = aiven_extras.control \ sql/aiven_extras--$(short_ver).sql \ diff --git a/sql/aiven_extras--1.1.11--1.1.12.sql b/sql/aiven_extras--1.1.11--1.1.12.sql new file mode 100644 index 0000000..e2f08fc --- /dev/null +++ b/sql/aiven_extras--1.1.11--1.1.12.sql @@ -0,0 +1 @@ +-- NOOP diff --git a/sql/aiven_extras.sql b/sql/aiven_extras.sql index adc4294..29144d9 100644 --- a/sql/aiven_extras.sql +++ b/sql/aiven_extras.sql @@ -1,3 +1,15 @@ +-- Check that if schema owned by other already exist +DO LANGUAGE plpgsql +$$ +BEGIN + IF EXISTS ( + SELECT * FROM information_schema.schemata WHERE schema_name = 'aiven_extras' AND schema_owner <> current_user + ) THEN + RAISE EXCEPTION 'Cannot create extension, schema ''aiven_extras'' owned by other user already exists'; + END IF; +END +$$; + DO LANGUAGE plpgsql $OUTER$ DECLARE