From 0223d00a54eb079c44ffa25eced7fbe71a0be579 Mon Sep 17 00:00:00 2001 From: javi Date: Thu, 12 Feb 2015 10:57:12 +0100 Subject: [PATCH 1/6] fixed security problem --- scripts-available/CDB_QueryTables.sql | 5 ----- test/CDB_QueryTablesTest.sql | 4 ++++ test/CDB_QueryTablesTest_expect | 2 ++ 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/scripts-available/CDB_QueryTables.sql b/scripts-available/CDB_QueryTables.sql index 2fb9532..d2a17c6 100644 --- a/scripts-available/CDB_QueryTables.sql +++ b/scripts-available/CDB_QueryTables.sql @@ -16,11 +16,6 @@ BEGIN FOR rec IN SELECT CDB_QueryStatements(query) q LOOP - IF NOT ( rec.q ilike 'select %' or rec.q ilike 'with %' ) THEN - --RAISE WARNING 'Skipping %', rec.q; - CONTINUE; - END IF; - BEGIN EXECUTE 'EXPLAIN (FORMAT XML, VERBOSE) ' || rec.q INTO STRICT exp; EXCEPTION WHEN others THEN diff --git a/test/CDB_QueryTablesTest.sql b/test/CDB_QueryTablesTest.sql index 6c3911f..b87315c 100644 --- a/test/CDB_QueryTablesTest.sql +++ b/test/CDB_QueryTablesTest.sql @@ -31,3 +31,7 @@ create table sc.test (a int); insert into sc.test values (1); WITH inp AS ( select 'select * from sc.test'::text as q ) SELECT q, CDB_QueryTables(q) from inp; + +WITH inp AS ( select 'SELECT +* FROM geometry_columns'::text as q ) + SELECT q, CDB_QueryTables(q) from inp; diff --git a/test/CDB_QueryTablesTest_expect b/test/CDB_QueryTablesTest_expect index 6d44860..bfe59df 100644 --- a/test/CDB_QueryTablesTest_expect +++ b/test/CDB_QueryTablesTest_expect @@ -13,3 +13,5 @@ CREATE SCHEMA CREATE TABLE INSERT 0 1 select * from sc.test|{sc.test} +SELECT +* FROM geometry_columns|{pg_catalog.pg_attribute,pg_catalog.pg_class,pg_catalog.pg_namespace,pg_catalog.pg_type} From 519ea075d6534c4c51fffa4063386dfafc938528 Mon Sep 17 00:00:00 2001 From: javi Date: Fri, 13 Feb 2015 17:32:14 +0100 Subject: [PATCH 2/6] fixed reg exp --- scripts-available/CDB_QueryTables.sql | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts-available/CDB_QueryTables.sql b/scripts-available/CDB_QueryTables.sql index d2a17c6..cd8b51b 100644 --- a/scripts-available/CDB_QueryTables.sql +++ b/scripts-available/CDB_QueryTables.sql @@ -16,6 +16,11 @@ BEGIN FOR rec IN SELECT CDB_QueryStatements(query) q LOOP + IF NOT ( rec.q ilike 'select%' or rec.q ilike 'with%' ) THEN + --RAISE WARNING 'Skipping %', rec.q; + CONTINUE; + END IF; + BEGIN EXECUTE 'EXPLAIN (FORMAT XML, VERBOSE) ' || rec.q INTO STRICT exp; EXCEPTION WHEN others THEN From d43e141291fb916e3711e88b1b5ae9cd76910f57 Mon Sep 17 00:00:00 2001 From: javi Date: Tue, 17 Feb 2015 11:34:49 +0100 Subject: [PATCH 3/6] updated news --- NEWS.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/NEWS.md b/NEWS.md index e29edcd..8310da7 100644 --- a/NEWS.md +++ b/NEWS.md @@ -1,3 +1,7 @@ +0.5.X () +------------------ +* Fixed secuity problem related with system tables + 0.5.2 (2015-01-29) ------------------ * Improvement: make CDB_UserDataSize functions much faster. From 6c7706672f52f83efda12bc340e7abddddac7279 Mon Sep 17 00:00:00 2001 From: Kartones Date: Tue, 17 Feb 2015 15:40:26 +0100 Subject: [PATCH 4/6] #69 now using pg_relation_size --- Makefile | 4 ++-- scripts-available/CDB_Quota.sql | 2 +- test/CDB_CartodbfyTableTest.sql | 2 +- test/CDB_QuotaTest.sql | 11 +++++++---- test/CDB_QuotaTest_expect | 8 +++++--- test/extension/test.sh | 10 +++++----- 6 files changed, 21 insertions(+), 16 deletions(-) diff --git a/Makefile b/Makefile index f36c5c3..e2aa4ba 100644 --- a/Makefile +++ b/Makefile @@ -91,14 +91,14 @@ legacy_regress: $(REGRESS_OLD) Makefile for f in $(REGRESS_OLD); do \ tn=`basename $${f} .sql`; \ of=sql/test/$${tn}.sql; \ - echo '\\set ECHO off' > $${of}; \ + echo '\\set ECHO none' > $${of}; \ echo '\\a' >> $${of}; \ echo '\\t' >> $${of}; \ echo '\\set QUIET off' >> $${of}; \ cat $${f} | \ $(SED) -e 's/public\./cartodb./g' >> $${of}; \ exp=expected/test/$${tn}.out; \ - echo '\\set ECHO off' > $${exp}; \ + echo '\\set ECHO none' > $${exp}; \ cat test/$${tn}_expect >> $${exp}; \ done diff --git a/scripts-available/CDB_Quota.sql b/scripts-available/CDB_Quota.sql index 9d53d2a..6e7b6bb 100644 --- a/scripts-available/CDB_Quota.sql +++ b/scripts-available/CDB_Quota.sql @@ -24,7 +24,7 @@ BEGIN FROM user_tables ), sizes AS ( - SELECT COALESCE(INT8(SUM(pg_total_relation_size('"' || schema_name || '"."' || table_name || '"')))) table_size, + SELECT COALESCE(INT8(SUM(pg_relation_size('"' || schema_name || '"."' || table_name || '"')))) table_size, CASE WHEN is_overview THEN 0 WHEN is_raster THEN 1 diff --git a/test/CDB_CartodbfyTableTest.sql b/test/CDB_CartodbfyTableTest.sql index 7f9810e..3736e80 100644 --- a/test/CDB_CartodbfyTableTest.sql +++ b/test/CDB_CartodbfyTableTest.sql @@ -1,5 +1,5 @@ SET client_min_messages TO error; -\set VERBOSITY terse; +\set VERBOSITY default CREATE OR REPLACE FUNCTION CDB_CartodbfyTableCheck(tabname regclass, label text) RETURNS text AS diff --git a/test/CDB_QuotaTest.sql b/test/CDB_QuotaTest.sql index ff290f4..e54a74d 100644 --- a/test/CDB_QuotaTest.sql +++ b/test/CDB_QuotaTest.sql @@ -1,5 +1,6 @@ -set client_min_messages to ERROR; -\set VERBOSITY terse +set client_min_messages to error; +\set VERBOSITY default + CREATE TABLE big(a int); -- Try the legacy interface -- See https://github.com/CartoDB/cartodb-postgresql/issues/13 @@ -9,8 +10,10 @@ INSERT INTO big VALUES (1); -- allowed, check runs before INSERT INTO big VALUES (1); -- disallowed, quota exceeds before SELECT CDB_SetUserQuotaInBytes(0); SELECT CDB_CartodbfyTable('big'); -INSERT INTO big SELECT generate_series(1,1024); -SELECT CDB_SetUserQuotaInBytes(8); +INSERT INTO big SELECT generate_series(1,2048); +INSERT INTO big SELECT generate_series(1,2048); +INSERT INTO big SELECT generate_series(1,2048); +SELECT CDB_SetUserQuotaInBytes(2); INSERT INTO big VALUES (1); SELECT CDB_SetUserQuotaInBytes(0); INSERT INTO big VALUES (1); diff --git a/test/CDB_QuotaTest_expect b/test/CDB_QuotaTest_expect index a5b9fab..1272429 100644 --- a/test/CDB_QuotaTest_expect +++ b/test/CDB_QuotaTest_expect @@ -5,9 +5,11 @@ INSERT 0 1 ERROR: Quota exceeded by 3.9990234375KB 0 -INSERT 0 1024 -8 -ERROR: Quota exceeded by 123.9921875KB +INSERT 0 2048 +INSERT 0 2048 +INSERT 0 2048 +2 +ERROR: Quota exceeded by 159.998046875KB 0 INSERT 0 1 DROP TABLE diff --git a/test/extension/test.sh b/test/extension/test.sh index 4f3a469..1cfd515 100644 --- a/test/extension/test.sh +++ b/test/extension/test.sh @@ -253,7 +253,7 @@ function run_tests() { # Tests quota checking taking into account both geom and raster tables function test_quota_for_each_user() { # Normal tables add 4096 bytes - # Raster tables with overview constraints add 16384 bytes + # Raster tables no longer add anything so also count as 4096 sql cdb_testmember_1 "SELECT cartodb.CDB_UserDataSize('cdb_testmember_1'::TEXT);" should 4096 sql cdb_testmember_2 "SELECT cartodb.CDB_UserDataSize('cdb_testmember_2'::TEXT);" should 4096 @@ -261,13 +261,13 @@ function test_quota_for_each_user() { create_raster_table cdb_testmember_1 raster_1 create_raster_table cdb_testmember_2 raster_2 - sql cdb_testmember_1 "SELECT cartodb.CDB_UserDataSize('cdb_testmember_1'::TEXT);" should 20480 - sql cdb_testmember_2 "SELECT cartodb.CDB_UserDataSize('cdb_testmember_2'::TEXT);" should 20480 + sql cdb_testmember_1 "SELECT cartodb.CDB_UserDataSize('cdb_testmember_1'::TEXT);" should 4096 + sql cdb_testmember_2 "SELECT cartodb.CDB_UserDataSize('cdb_testmember_2'::TEXT);" should 4096 create_raster_table cdb_testmember_1 raster_3 - sql cdb_testmember_1 "SELECT cartodb.CDB_UserDataSize('cdb_testmember_1'::TEXT);" should 36864 - sql cdb_testmember_2 "SELECT cartodb.CDB_UserDataSize('cdb_testmember_2'::TEXT);" should 20480 + sql cdb_testmember_1 "SELECT cartodb.CDB_UserDataSize('cdb_testmember_1'::TEXT);" should 4096 + sql cdb_testmember_2 "SELECT cartodb.CDB_UserDataSize('cdb_testmember_2'::TEXT);" should 4096 drop_raster_table cdb_testmember_1 raster_1 drop_raster_table cdb_testmember_2 raster_2 From dbc0e069c5abf35782851b0e324e3f307ffdbe41 Mon Sep 17 00:00:00 2001 From: Kartones Date: Tue, 17 Feb 2015 15:47:18 +0100 Subject: [PATCH 5/6] #69 Updated version at makefile --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index e2aa4ba..35e0ddf 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # cartodb/Makefile EXTENSION = cartodb -EXTVERSION = 0.5.2 +EXTVERSION = 0.5.3 SED = sed @@ -31,6 +31,7 @@ UPGRADABLE = \ 0.4.1 \ 0.5.0 \ 0.5.1 \ + 0.5.2 \ $(EXTVERSION)dev \ $(EXTVERSION)next \ $(END) From 39e16ebc592e215a03ed19fdbfd54c2bee82c682 Mon Sep 17 00:00:00 2001 From: Kartones Date: Tue, 17 Feb 2015 16:25:16 +0100 Subject: [PATCH 6/6] Update NEWS.md --- NEWS.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/NEWS.md b/NEWS.md index 8310da7..6f4d412 100644 --- a/NEWS.md +++ b/NEWS.md @@ -1,6 +1,7 @@ -0.5.X () +0.5.3 (2015-02-xx) ------------------ * Fixed secuity problem related with system tables +* Changed quota checks to use `pg_relation_size` instead of `pg_total_relation_size` 0.5.2 (2015-01-29) ------------------