fix(wasm): add user id to wasm cache file hash #301
Merged
+7
−3
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
This PR is to add current user id and package url to wasm fdw local cache file name hash, which is to mitigate a security issue described below.
What is the current behavior?
The current wasm fdw local cache file name hash is calculated as
sha256('<pacakge_name>@<version>')
, this will cause a potential security risk. Suppose both user A and B can create foreign table on same database, and then below steps can cause data leaking:package_name=foo, version=1.2.3
, but doesn't query it so the wasm fdw file hasn't been downloaded yetfoo
and version1.2.3
, this wasm fdw used the same code as user A used, but added an secret code which can post every response to user B controlled data collection sitepackage_name=foo, version=1.2.3
, and package url pointing to his wasm fdwWhat is the new behavior?
The wasm fdw local cache file name hash will be changed to
sha256('<user_oid>:<package_ur>:<pacakge_name>@<version>')
, so each user will use their own local cache file and will not shared with other users. This will mitigate the vulnerability described above.Additional context
After database backup/restore, the user oid may change so the local cache file name hash will be changed, this will trigger another download. That's expected behaviour so we don't need to worry about it.