Comments (1)
olirice
commented on June 16, 2024
2
interesting stuff
From that same doc:
This prevents malicious users from creating objects that mask objects used by the function
so the risk is that the user could manipulate a schema they control, that is on the search path, to obscure the table that we want to audit
Something like
create schema malicious;
create schema public;
create table public.account ....;
-- malicious user wants to hide 'public.account'
create table malicious.account ...;
-- if our search path looked like this
set search_path = 'malicious,public';
-- and the admin didn't specify the schema when auditing a table
select audit.enable_tracking('account'::regclass);then the admin might think they're auditing public.account when they're actually auditing malicious.account.
It seems like a low risk but I'll leave this open and add an explicit search_path next time we do an update
thanks for raising the question
from supa_audit.
Related Issues (20)
- Scaling the audit table HOT 6
- Who made a given change HOT 2
- Make Install error with llvm
- How can I use this extension for foreign tables since primary key constraints are not supported on foreign tables . HOT 4
- Triggers should be `after`
- Record the `application_name` connection parameter HOT 1
- Enable auditing, but ignore specific columns HOT 1
- v0.2.0 make, cannot stat './/supa_audit--0.1.0.sql' HOT 7
- ERROR: function uuid_generate_v4() does not exist (SQLSTATE 42883) HOT 2
- How can we use this extension when primary key is already in UUID format? HOT 2
- Include user who made change (assuming a system where every user also has a postgres role) HOT 1
- Does not install on Supabase unless `extensions` schema on search_path HOT 1
- Fails on insert in a table when the inserted row is as a result of auth.users trigger HOT 1
- Error when selecting the "Server Error" filter on Auth audit logging HOT 1
- Audit table cannot be backed up HOT 2
- Applying extension via migrations not working for 0.3.1 HOT 1
- running 0.3.1 standalone SQL file throws error HOT 1
- Add supa_audit to extensions lib HOT 1
- Can't copy & paste supa_audit--0.3.1.sql to create the extension anymore HOT 3
- Error when running script HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from supa_audit.