NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commitdb69e58

committed

Reset plan->row_security_env and planUserId

In the plancache, we check if the environment we planned the query underhas changed in a way which requires us to re-plan, such as when the userfor whom the plan was prepared changes and RLS is being used (and,therefore, there may be different policies to apply).Unfortunately, while those values were set and checked, they were notbeing reset when the query was re-planned and therefore, in cases wherewe change role, re-plan, and then change role again, we weren'tre-planning again. This leads to potentially incorrect policies beingapplied in cases where role-specific policies are used and a given queryis planned under one role and then executed under other roles, whichcould happen under security definer functions or when a common user andquery is planned initially and then re-used across multiple SET ROLEs.Further, extensions which made use of CopyCachedPlan() may suffer fromsimilar issues as the RLS-related fields were not properly copied aspart of the plan and therefore RevalidateCachedQuery() would copy in thecurrent settings without invalidating the query.Fix by using the same approach used for 'search_path', where we set thecorrect values in CompleteCachedPlan(), check them early on inRevalidateCachedQuery() and then properly reset them if re-planning.Also, copy through the values during CopyCachedPlan().Pointed out by Ashutosh Bapat. Reviewed by Michael Paquier.Back-patch to 9.5 where RLS was introduced.Security:CVE-2016-2193

1 parentd6e7401 commitdb69e58Copy full SHA for db69e58

File tree

3 files changed

+49

-14

lines changed

src
- backend/utils/cache
  - plancache.c
- test/regress
  - expected
    - rowsecurity.out
  - sql
    - rowsecurity.sql

3 files changed

+49

-14

lines changed

`‎src/backend/utils/cache/plancache.c`

Lines changed: 26 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,8 @@`
`16`	`16`	`* if it has one. When (and if) the next demand for a cached plan occurs,`
`17`	`17`	`* parse analysis and rewrite is repeated to build a new valid query tree,`
`18`	`18`	`* and then planning is performed as normal. We also force re-analysis and`
`19`		`- * re-planning if the active search_path is different from the previous time.`
	`19`	`+ * re-planning if the active search_path is different from the previous time`
	`20`	`+ * or, if RLS is involved, if the user changes or the RLS environment changes.`
`20`	`21`	`*`
`21`	`22`	`* Note that if the sinval was a result of user DDL actions, parse analysis`
`22`	`23`	`* could throw an error, for example if a column referenced by the query is`
`@@ -204,8 +205,8 @@ CreateCachedPlan(Node *raw_parse_tree,`
`204`	`205`	`plansource->total_custom_cost=0;`
`205`	`206`	`plansource->num_custom_plans=0;`
`206`	`207`	`plansource->hasRowSecurity= false;`
`207`		`-plansource->row_security_env=row_security;`
`208`	`208`	`plansource->planUserId=InvalidOid;`
	`209`	`+plansource->row_security_env= false;`
`209`	`210`
`210`	`211`	`MemoryContextSwitchTo(oldcxt);`
`211`	`212`
`@@ -271,6 +272,8 @@ CreateOneShotCachedPlan(Node *raw_parse_tree,`
`271`	`272`	`plansource->generic_cost=-1;`
`272`	`273`	`plansource->total_custom_cost=0;`
`273`	`274`	`plansource->num_custom_plans=0;`
	`275`	`+plansource->planUserId=InvalidOid;`
	`276`	`+plansource->row_security_env= false;`
`274`	`277`
`275`	`278`	`returnplansource;`
`276`	`279`	`}`
`@@ -409,6 +412,8 @@ CompleteCachedPlan(CachedPlanSource *plansource,`
`409`	`412`	`plansource->cursor_options=cursor_options;`
`410`	`413`	`plansource->fixed_result=fixed_result;`
`411`	`414`	`plansource->resultDesc=PlanCacheComputeResultDesc(querytree_list);`
	`415`	`+plansource->planUserId=GetUserId();`
	`416`	`+plansource->row_security_env=row_security;`
`412`	`417`
`413`	`418`	`MemoryContextSwitchTo(oldcxt);`
`414`	`419`
`@@ -571,24 +576,15 @@ RevalidateCachedQuery(CachedPlanSource *plansource)`
`571`	`576`	`returnNIL;`
`572`	`577`	`}`
`573`	`578`
`574`		`-/*`
`575`		`- * If this is a new cached plan, then set the user id it was planned by`
`576`		`- * and under what row security settings; these are needed to determine`
`577`		`- * plan invalidation when RLS is involved.`
`578`		`- */`
`579`		`-if (!OidIsValid(plansource->planUserId))`
`580`		`-{`
`581`		`-plansource->planUserId=GetUserId();`
`582`		`-plansource->row_security_env=row_security;`
`583`		`-}`
`584`		`-`
`585`	`579`	`/*`
`586`	`580`	`* If the query is currently valid, we should have a saved search_path ---`
`587`	`581`	`* check to see if that matches the current environment. If not, we want`
`588`		`- * to force replan.`
	`582`	`+ * to force replan. We should also have a valid planUserId.`
`589`	`583`	`*/`
`590`	`584`	`if (plansource->is_valid)`
`591`	`585`	`{`
	`586`	`+Assert(OidIsValid(plansource->planUserId));`
	`587`	`+`
`592`	`588`	`Assert(plansource->search_path!=NULL);`
`593`	`589`	`if (!OverrideSearchPathMatchesCurrent(plansource->search_path))`
`594`	`590`	`{`
`@@ -643,6 +639,14 @@ RevalidateCachedQuery(CachedPlanSource *plansource)`
`643`	`639`	`plansource->invalItems=NIL;`
`644`	`640`	`plansource->search_path=NULL;`
`645`	`641`
	`642`	`+/*`
	`643`	`+ * The plan is invalid, possibly due to row security, so we need to reset`
	`644`	`+ * row_security_env and planUserId as we're about to re-plan with the`
	`645`	`+ * current settings.`
	`646`	`+ */`
	`647`	`+plansource->row_security_env=row_security;`
	`648`	`+plansource->planUserId=GetUserId();`
	`649`	`+`
`646`	`650`	`/*`
`647`	`651`	`* Free the query_context. We don't really expect MemoryContextDelete to`
`648`	`652`	`* fail, but just in case, make sure the CachedPlanSource is left in a`
`@@ -1380,6 +1384,14 @@ CopyCachedPlan(CachedPlanSource *plansource)`
`1380`	`1384`	`newsource->total_custom_cost=plansource->total_custom_cost;`
`1381`	`1385`	`newsource->num_custom_plans=plansource->num_custom_plans;`
`1382`	`1386`
	`1387`	`+/*`
	`1388`	`+ * Copy over the user the query was planned as, and under what RLS`
	`1389`	`+ * environment. We will check during RevalidateCachedQuery() if the user`
	`1390`	`+ * or environment has changed and, if so, will force a re-plan.`
	`1391`	`+ */`
	`1392`	`+newsource->planUserId=plansource->planUserId;`
	`1393`	`+newsource->row_security_env=plansource->row_security_env;`
	`1394`	`+`
`1383`	`1395`	`MemoryContextSwitchTo(oldcxt);`
`1384`	`1396`
`1385`	`1397`	`returnnewsource;`

`‎src/test/regress/expected/rowsecurity.out`

Lines changed: 14 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2334,23 +2334,37 @@ GRANT SELECT ON t1 TO rls_regress_user1, rls_regress_user2;`
`2334`	`2334`	`CREATE POLICY p1 ON t1 TO rls_regress_user1 USING ((a % 2) = 0);`
`2335`	`2335`	`CREATE POLICY p2 ON t1 TO rls_regress_user2 USING ((a % 4) = 0);`
`2336`	`2336`	`ALTER TABLE t1 ENABLE ROW LEVEL SECURITY;`
	`2337`	`+-- Prepare as rls_regress_user1`
`2337`	`2338`	`SET ROLE rls_regress_user1;`
`2338`	`2339`	`PREPARE role_inval AS SELECT * FROM t1;`
	`2340`	`+-- Check plan`
`2339`	`2341`	`EXPLAIN (COSTS OFF) EXECUTE role_inval;`
`2340`	`2342`	`QUERY PLAN`
`2341`	`2343`	`-------------------------`
`2342`	`2344`	`Seq Scan on t1`
`2343`	`2345`	`Filter: ((a % 2) = 0)`
`2344`	`2346`	`(2 rows)`
`2345`	`2347`
	`2348`	`+-- Change to rls_regress_user2`
`2346`	`2349`	`SET ROLE rls_regress_user2;`
	`2350`	`+-- Check plan- should be different`
`2347`	`2351`	`EXPLAIN (COSTS OFF) EXECUTE role_inval;`
`2348`	`2352`	`QUERY PLAN`
`2349`	`2353`	`-------------------------`
`2350`	`2354`	`Seq Scan on t1`
`2351`	`2355`	`Filter: ((a % 4) = 0)`
`2352`	`2356`	`(2 rows)`
`2353`	`2357`
	`2358`	`+-- Change back to rls_regress_user1`
	`2359`	`+SET ROLE rls_regress_user1;`
	`2360`	`+-- Check plan- should be back to original`
	`2361`	`+EXPLAIN (COSTS OFF) EXECUTE role_inval;`
	`2362`	`+ QUERY PLAN`
	`2363`	`+-------------------------`
	`2364`	`+ Seq Scan on t1`
	`2365`	`+ Filter: ((a % 2) = 0)`
	`2366`	`+(2 rows)`
	`2367`	`+`
`2354`	`2368`	`--`
`2355`	`2369`	`-- CTE and RLS`
`2356`	`2370`	`--`

`‎src/test/regress/sql/rowsecurity.sql`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -852,11 +852,20 @@ CREATE POLICY p2 ON t1 TO rls_regress_user2 USING ((a % 4) = 0);`
`852`	`852`
`853`	`853`	`ALTERTABLE t1 ENABLE ROW LEVEL SECURITY;`
`854`	`854`
	`855`	`+-- Prepare as rls_regress_user1`
`855`	`856`	`SET ROLE rls_regress_user1;`
`856`	`857`	`PREPARE role_invalASSELECT*FROM t1;`
	`858`	`+-- Check plan`
`857`	`859`	`EXPLAIN (COSTS OFF) EXECUTE role_inval;`
`858`	`860`
	`861`	`+-- Change to rls_regress_user2`
`859`	`862`	`SET ROLE rls_regress_user2;`
	`863`	`+-- Check plan- should be different`
	`864`	`+EXPLAIN (COSTS OFF) EXECUTE role_inval;`
	`865`	`+`
	`866`	`+-- Change back to rls_regress_user1`
	`867`	`+SET ROLE rls_regress_user1;`
	`868`	`+-- Check plan- should be back to original`
`860`	`869`	`EXPLAIN (COSTS OFF) EXECUTE role_inval;`
`861`	`870`
`862`	`871`	`--`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitdb69e58

File tree

3 files changed

3 files changed

`‎src/backend/utils/cache/plancache.c`

`‎src/test/regress/expected/rowsecurity.out`

`‎src/test/regress/sql/rowsecurity.sql`

0 commit comments