From 87986b9667fb027d144f3e1d410a011a2ac99228 Mon Sep 17 00:00:00 2001 From: Oliver Rice Date: Tue, 13 Feb 2024 16:08:05 -0600 Subject: [PATCH 1/2] auth.users is exposed through public schema --- README.md | 2 +- bin/installcheck | 2 +- dockerfiles/docker-compose.yml | 9 ++++-- lints/0002_auth_users_exposed.sql | 39 +++++++++++++++++++++++ test/expected/0002_auth_users_exposed.out | 17 ++++++++++ test/fixtures.sql | 7 ++++ test/sql/0002_auth_users_exposed.sql | 12 +++++++ 7 files changed, 84 insertions(+), 4 deletions(-) create mode 100644 lints/0002_auth_users_exposed.sql create mode 100644 test/expected/0002_auth_users_exposed.out create mode 100644 test/sql/0002_auth_users_exposed.sql diff --git a/README.md b/README.md index 7db5d71..d72f6fd 100644 --- a/README.md +++ b/README.md @@ -45,5 +45,5 @@ To run the test suite, Run test ```sh -docker rmi -f dockerfiles-test && SUPABASE_VERSION=15.1.1.13 docker-compose -f dockerfiles/docker-compose.yml run --rm test +docker rmi -f dockerfiles-db && SUPABASE_VERSION=15.1.1.13 docker-compose -f dockerfiles/docker-compose.yml run --rm db ``` diff --git a/bin/installcheck b/bin/installcheck index a6247e3..21909dc 100755 --- a/bin/installcheck +++ b/bin/installcheck @@ -49,7 +49,7 @@ else fi # Execute the test fixtures -psql -v ON_ERROR_STOP=1 -f lints/*.sql -f test/fixtures.sql -d contrib_regression +psql -v ON_ERROR_STOP= -f test/fixtures.sql -f lints/0001*.sql -f lints/0002*.sql -d contrib_regression # Run tests ${REGRESS} --use-existing --dbname=contrib_regression --inputdir=${TESTDIR} ${TESTS} diff --git a/dockerfiles/docker-compose.yml b/dockerfiles/docker-compose.yml index 2e2cf5f..7149e0d 100644 --- a/dockerfiles/docker-compose.yml +++ b/dockerfiles/docker-compose.yml @@ -1,12 +1,17 @@ version: '3' services: - test: - container_name: repo_test + db: + container_name: supabase-db build: context: .. dockerfile: ./dockerfiles/Dockerfile args: PG_VERSION: ${SUPABASE_VERSION:-15.1.1.13} + healthcheck: + test: pg_isready -U postgres -h localhost + interval: 5s + timeout: 5s + retries: 10 command: - ./bin/installcheck diff --git a/lints/0002_auth_users_exposed.sql b/lints/0002_auth_users_exposed.sql new file mode 100644 index 0000000..c51d0f9 --- /dev/null +++ b/lints/0002_auth_users_exposed.sql @@ -0,0 +1,39 @@ +create view "0002_auth_users_exposed" as + +select + 'auth_users_exposed' as name, + 'WARN' as level, + 'EXTERNAL' as facing, + 'Detects if auth.users is exposed to anon or authenticated roles via a view or materialized view in the public schema, potentially compromising user data security.' as description, + format( + 'View/Materialized View "%s" in the public schema may expose auth.users data to anon or authenticated roles.', + c.relname + ) as detail, + 'Review the view/materialized view definition to ensure it does not unintentionally expose sensitive user data. Apply proper role permissions and consider using row-level security to protect sensitive data.' as remediation, + jsonb_build_object( + 'view_name', c.relname, + 'schema', 'public', + 'exposed_to', array_remove(array_agg(DISTINCT case when pg_catalog.has_table_privilege('anon', c.oid, 'SELECT') then 'anon' when pg_catalog.has_table_privilege('authenticated', c.oid, 'SELECT') then 'authenticated' end), null) + ) as metadata, + format('auth_users_exposed_%s', c.relname) as cache_key +from + pg_depend d + join pg_rewrite r + on r.oid = d.objid + join pg_class c + on c.oid = r.ev_class + join pg_namespace n + on n.oid = c.relnamespace +where + d.refobjid = 'auth.users'::regclass + and d.deptype = 'n' + and c.relkind in ('v', 'm') -- v for view, m for materialized view + and n.nspname = 'public' + and ( + pg_catalog.has_table_privilege('anon', c.oid, 'SELECT') + or pg_catalog.has_table_privilege('authenticated', c.oid, 'SELECT') + ) + -- Exclude self + and c.relname <> '0002_auth_users_exposed' +group by + c.relname, c.oid; diff --git a/test/expected/0002_auth_users_exposed.out b/test/expected/0002_auth_users_exposed.out new file mode 100644 index 0000000..c91dea3 --- /dev/null +++ b/test/expected/0002_auth_users_exposed.out @@ -0,0 +1,17 @@ +begin; + -- No issues + select * from "0002_auth_users_exposed"; + name | level | facing | description | detail | remediation | metadata | cache_key +------+-------+--------+-------------+--------+-------------+----------+----------- +(0 rows) + + -- Create a view that exposes auth.users + create view public.oops as + select * from auth.users; + select * from "0002_auth_users_exposed"; + name | level | facing | description | detail | remediation | metadata | cache_key +--------------------+-------+----------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------+------------------------- + auth_users_exposed | WARN | EXTERNAL | Detects if auth.users is exposed to anon or authenticated roles via a view or materialized view in the public schema, potentially compromising user data security. | View/Materialized View "oops" in the public schema may expose auth.users data to anon or authenticated roles. | Review the view/materialized view definition to ensure it does not unintentionally expose sensitive user data. Apply proper role permissions and consider using row-level security to protect sensitive data. | {"schema": "public", "view_name": "oops", "exposed_to": ["anon"]} | auth_users_exposed_oops +(1 row) + +rollback; diff --git a/test/fixtures.sql b/test/fixtures.sql index e69de29..962d234 100644 --- a/test/fixtures.sql +++ b/test/fixtures.sql @@ -0,0 +1,7 @@ +create schema auth; +create view auth.users as select 1; + +create role anon; +create role authenticated; +grant usage on schema public to anon, authenticated; +alter default privileges in schema public grant select on tables to public; diff --git a/test/sql/0002_auth_users_exposed.sql b/test/sql/0002_auth_users_exposed.sql new file mode 100644 index 0000000..a2751d7 --- /dev/null +++ b/test/sql/0002_auth_users_exposed.sql @@ -0,0 +1,12 @@ +begin; + + -- No issues + select * from "0002_auth_users_exposed"; + + -- Create a view that exposes auth.users + create view public.oops as + select * from auth.users; + + select * from "0002_auth_users_exposed"; + +rollback; From 2a230287696919ce2d0b0553951a83b60216a72f Mon Sep 17 00:00:00 2001 From: Oliver Rice Date: Wed, 14 Feb 2024 08:13:35 -0600 Subject: [PATCH 2/2] fix CI --- .github/workflows/test.yml | 4 ++-- README.md | 2 +- dockerfiles/docker-compose.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3779d9e..7479d75 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ jobs: uses: actions/checkout@v3 - name: Build docker images - run: PG_VERSION=${{ matrix.postgres }} docker-compose -f .ci/docker-compose.yml build + run: PG_VERSION=${{ matrix.postgres }} docker-compose -f dockerfiles/docker-compose.yml build - name: Run tests - run: PG_VERSION=${{ matrix.postgres }} docker-compose -f .ci/docker-compose.yml run test + run: PG_VERSION=${{ matrix.postgres }} docker-compose -f dockerfiles/docker-compose.yml run test diff --git a/README.md b/README.md index d72f6fd..6c6b014 100644 --- a/README.md +++ b/README.md @@ -45,5 +45,5 @@ To run the test suite, Run test ```sh -docker rmi -f dockerfiles-db && SUPABASE_VERSION=15.1.1.13 docker-compose -f dockerfiles/docker-compose.yml run --rm db +docker rmi -f dockerfiles-db && SUPABASE_VERSION=15.1.1.13 docker-compose -f dockerfiles/docker-compose.yml run --rm test ``` diff --git a/dockerfiles/docker-compose.yml b/dockerfiles/docker-compose.yml index 7149e0d..b97c294 100644 --- a/dockerfiles/docker-compose.yml +++ b/dockerfiles/docker-compose.yml @@ -1,7 +1,7 @@ version: '3' services: - db: + test: container_name: supabase-db build: context: ..