Commit cfb3bae
fix: revoke execute on pgque.uninstall() from PUBLIC (#60)
pgque.uninstall() was revoked from pgque_admin, but PUBLIC execute was
left at the PostgreSQL default for SECURITY DEFINER functions. Any role
that could connect to the database could call pgque.uninstall() and
drop the entire pgque schema. The README and docs/reference.md both
claimed the function was "superuser only"; reality was that every
login role had it.
Add `revoke execute on function pgque.uninstall() from public;` in
sql/pgque-additions/roles.sql alongside the existing pgque_admin
revoke. Rebuild sql/pgque.sql. Extend tests/test_pgque_roles.sql to
assert that pgque_admin, pgque_writer, and pgque_reader all lack
execute on uninstall() — catches any future regression.
Found during the functional review of PR #59 (docs restructure). The
docs PR tightened the wording to match pre-fix reality and pointed at
this PR as the follow-up hardening; once this merges, the docs claim
becomes true by default.
Co-authored-by: Nik Samokhvalov <nik@niks-mbp.lan>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent 3b75f58 commit cfb3bae
3 files changed
Lines changed: 18 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
77 | 77 | | |
78 | 78 | | |
79 | 79 | | |
80 | | - | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
81 | 84 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4239 | 4239 | | |
4240 | 4240 | | |
4241 | 4241 | | |
4242 | | - | |
| 4242 | + | |
| 4243 | + | |
| 4244 | + | |
| 4245 | + | |
4243 | 4246 | | |
4244 | 4247 | | |
4245 | 4248 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
41 | 41 | | |
42 | 42 | | |
43 | 43 | | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
44 | 54 | | |
45 | 55 | | |
0 commit comments