Re: PCI:SSF - Safe SQL Query & operators filter

From: Jan Bilek <jan(dot)bilek(at)eftlab(dot)com(dot)au>
To: Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>, Christophe Pettus <xof(at)thebuild(dot)com>
Cc: "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org>
Subject: Re: PCI:SSF - Safe SQL Query & operators filter
Date: 2022-11-08 07:35:02
Message-ID: 915c39ef-5244-7682-0a2e-fffe17ba8490@eftlab.com.au
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 11/8/22 17:03, Laurenz Albe wrote:
> On Tue, 2022-11-08 at 04:14 +0000, Jan Bilek wrote:
>
>> I know it is not exactly what you suggested (and agreeing a lot with our
>> app user shouldn't be running as superuser), but as all other inputs
>> from our application come sanitized through bind and this is the only
>> way where user can send an explicit command in there - I think it should do!
>>
>> Please let me know if you approve.
> I strongly disapprove, and any security audit you pass with such a setup
> is worthless. I repeat: the application does not need to connect with
> a superuser.
>
> I don't understand what you want to demonstrate with the code samples, or
> what you mean when you say that "the user can send an explicit command".
>
> Yours,
> Laurenz Albe

Interesting.

I agree that our app shouldn't need superuser, but that would mean that
some ... you made me give it some serious though here.

Installation itself is happening under elevated (root) rights. We are
using the postgres account for moving in all what's needed (e.g. that
plpython3u extension). Walking though our code for most of the day, I
can't see why that superuser would be really needed. Those plpython3u
functions are wrapped up under the hood already. I'm sending that in to
check if our QA will find anything.

Thanks for being stubborn about this!

Cheers,
Jan

--
Jan Bilek - CTO at EFTlab Pty Ltd.

In response to

Browse pgsql-general by date

  From Date Subject
Next Message jian he 2022-11-08 08:49:34 for integer/bigint type while format to scientific notation, automatically get the correct number of precision
Previous Message Thomas Munro 2022-11-08 07:10:23 Re: Segmentation Fault PG 14