Skip to content

security(streaming): SSE applies the column allowlist but not the policy row-filter — query/stream RLS drift #319

Description

@EricAndrechek

Area: api · policy · observability (streaming) — security (RLS bypass on the stream path) · found via pre-launch audit

Expected: the SSE delivery path applies the same policy as the structured-query path — both the column allowlist and the row-filter (RLS predicate) that the query path injects.

Actual: the SSE stream applies the column allowlist but not the policy row-filter, so the two read paths drift: a subscriber receives rows that the structured-query path would filter out for that role.

Impact: any deployment that combines row-policies with a public or role-scoped SSE stream leaks rows over the stream that RLS should remove — a data-exposure on the streaming surface. Live signal on Stats is limited (the public table carries no restrictive row-policy), but the gap is real for any future private/PII table fronted by a stream.

Scope: apply the query-path row-filter inside the stream policy evaluation (applyStreamPolicy).

Related: #294 (SSE delivery path), #214 (per-table policy scopes), the applyStreamPolicy unfiltered-passthrough issue.


From WaveHouse-Stats pre-launch security audit (WAVEHOUSE-FEEDBACK.md dogfooding), audited dev 60fed15 (2026-06-10). Filed via /pm-triage.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/apiHTTP handlers, routing, middlewarearea/observabilityMetrics, logs, traces, health, profilingarea/policyAccess control policies (Hasura-style)bugSomething isn't workingsecuritySecurity-sensitive issue or fix

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions