db-pre-request / current_setting() variable replacement in select is safe? #2206
-
Hello everyone, my pl/sql is rusty indeed, and I'm totally new to how it works in postgres, and I need some help. I've got it all working but I'd like to add a It seems like using so I started trying to google around to see how to do a variable replacement like that, then it occurred to me that this could potentially be unsafe? Like if someone spoofs a token with some nasty stuff in the email claim and does an sql injection or something? Am I seeing ghosts? Would that even be possible? (sorry, I am a big n00b in this arena -- I've consumed many APIs in my time, but never built one before). I realize this is a question beyond just postgrest, but ... what would be the safe way to do this check? surely I'm not the first to think of doing this with postgrest. Has anyone implemented something like this before and wouldn't mind sharing? thanks everyone! edit: after many more hours messing around with this ... ok, it seems like surely I'm missing something here. edit 2: and that thing I was missing was the postgresql version-dependent syntax for checking the
my Fedora box installed version 12.6 from the distro ... I was using the >=14 version syntax. It is troubling though, that absolutely no error was thrown, anywhere even in the postres server log .. and postgrest allowed the transaction regardless. So I mean yeah ... watch out for errors in anyhow back to my original question. I've got a version of what I want working. This is my create or replace function basic_auth.check_token() returns void
language plpgsql
as $$
declare en bool;
begin
select enabled from basic_auth.users where email = current_setting('request.jwt.claim.email', true) into en;
if en = false then
raise insufficient_privilege
using hint = 'user disabled';
end if;
end
$$ security definer; I can set |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
Hey Amy, Yes, using current_setting is safe as it only returns
Not for this case. You should only be concerned about this is if you are doing Dynamic SQL inside your function(which is a rare need). It is possible to make that safe as well though(example here). |
Beta Was this translation helpful? Give feedback.
Hey Amy,
Yes, using current_setting is safe as it only returns
text
so if you got something likeDROP BOBBY TABLES
as an input it would only be a falseWHERE
condition.Not for this case. You should only be concerned about this is if you are doing Dynamic SQL inside your function(which is a rare need). It is possible to make that safe as well though(example here).