From 3a043688cdb0e8ee496a9f1c3aae865787d3c877 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Thu, 30 Oct 2025 09:17:02 +0100 Subject: [PATCH 1/3] feat: update supautils Bumps supautils to allow disabling `copy ... program` utility --- ansible/vars.yml | 6 +++--- nix/ext/supautils.nix | 4 ++-- nix/tests/expected/security.out | 4 ++++ nix/tests/sql/security.sql | 3 +++ 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ansible/vars.yml b/ansible/vars.yml index 4f639e5f2..631bd723d 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,9 +10,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.5.1.055-orioledb" - postgres17: "17.6.1.034" - postgres15: "15.14.1.034" + postgresorioledb-17: "17.5.1.056-orioledb" + postgres17: "17.6.1.035" + postgres15: "15.14.1.035" # Non Postgres Extensions pgbouncer_release: 1.19.0 diff --git a/nix/ext/supautils.nix b/nix/ext/supautils.nix index 7ee4a41b3..a10d49c4a 100644 --- a/nix/ext/supautils.nix +++ b/nix/ext/supautils.nix @@ -7,7 +7,7 @@ stdenv.mkDerivation rec { pname = "supautils"; - version = "3.0.0"; + version = "3.0.2"; buildInputs = [ postgresql ]; @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { owner = "supabase"; repo = pname; rev = "refs/tags/v${version}"; - hash = "sha256-EKKjNZQf7HwP/MxpHoPtbEtwXk+wO241GoXVcXpDMFs="; + hash = "sha256-WTLZShBFVgb18vVi15TSZvtJrNUFgQa6mBkavvRSoUE="; }; installPhase = '' diff --git a/nix/tests/expected/security.out b/nix/tests/expected/security.out index 81b6b8705..a57a0b64c 100644 --- a/nix/tests/expected/security.out +++ b/nix/tests/expected/security.out @@ -31,3 +31,7 @@ order by 1,2; vault | update_secret (20 rows) +-- supautils disables copy ... program +copy (select '') to program 'id'; +ERROR: COPY TO/FROM PROGRAM not allowed +DETAIL: The copy to/from program utility statement is disabled diff --git a/nix/tests/sql/security.sql b/nix/tests/sql/security.sql index fb72f0e69..5822283c0 100644 --- a/nix/tests/sql/security.sql +++ b/nix/tests/sql/security.sql @@ -7,3 +7,6 @@ from pg_catalog.pg_proc p where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin') and p.prosecdef = true order by 1,2; + +-- supautils disables copy ... program +copy (select '') to program 'id'; From de44d08e94e22b0e2aa7de72195a6e5294b12a31 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Thu, 30 Oct 2025 09:34:13 +0100 Subject: [PATCH 2/3] fix: set supautils.disable_program guc --- ansible/files/postgresql_config/supautils.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/files/postgresql_config/supautils.conf.j2 b/ansible/files/postgresql_config/supautils.conf.j2 index 43875c194..a0a35a70f 100644 --- a/ansible/files/postgresql_config/supautils.conf.j2 +++ b/ansible/files/postgresql_config/supautils.conf.j2 @@ -13,3 +13,4 @@ supautils.privileged_role = 'postgres' supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression' supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, authenticator' supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*' +supautils.disable_program = 'true' \ No newline at end of file From 53cbd460288232ca1ee95380883a40884380f4ff Mon Sep 17 00:00:00 2001 From: Bobbie Soedirgo <31685197+soedirgo@users.noreply.github.com> Date: Thu, 30 Oct 2025 11:59:04 -0400 Subject: [PATCH 3/3] Apply suggestion from @soedirgo --- ansible/files/postgresql_config/supautils.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/files/postgresql_config/supautils.conf.j2 b/ansible/files/postgresql_config/supautils.conf.j2 index a0a35a70f..ec49090cc 100644 --- a/ansible/files/postgresql_config/supautils.conf.j2 +++ b/ansible/files/postgresql_config/supautils.conf.j2 @@ -13,4 +13,4 @@ supautils.privileged_role = 'postgres' supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression' supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, authenticator' supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*' -supautils.disable_program = 'true' \ No newline at end of file +supautils.disable_program = 'true'