Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Thank you for submitting this pull request! We really appreciate you spending the time to work on these changes.
What is the motivation?
To decrease default capabilities, more specifically by dropping the capability to run non-scripting functions by default. The capability to run functions may extend the attack surface of SurrealDB to additional third-party libraries that are used to implement the functions as well as allow users to perform actions that should only be allowed as a result of a conscious decision by the SurrealDB owner, specially when other capabilities such as networking are enabled.
For example, by default, if the networking capability is enabled without any exceptions, an attacker may use the
http
functions to perform requests over the private network in order to achieve lateral movement or privilege escalation using internal network interfaces such as the Docker API, the Kubernetes API or internal cloud endpoints.This change encourages users to enable the specific functions that their service or application requires instead of relying on a default that enables all functions. Users that require all functions can still decide to enable them.
What does this change do?
Updates the
default()
setting for bothCoreCapabilities
and the publicCapabilities
interface to not include functions. Creates a newnone()
setting inCoreCapabilities
which does not include any capability. Updates the publicCapabilities
interface to usenone()
fromCoreCapabilities
.What is your testing strategy?
Ensure that existing tests continue passing.
Is this related to any issues?
Addresses some issues raised on #4173.
Does this change need documentation?
No. This behavior was actually already the documented behavior.
Have you read the Contributing Guidelines?