INSERT ... RETURNING does not require a SELECT privilege [CORE6335] #6576
Labels
affect-version: 2.5.1
affect-version: 2.5.2 Update 1
affect-version: 2.5.2
affect-version: 2.5.3 Update 1
affect-version: 2.5.3
affect-version: 2.5.4
affect-version: 2.5.5
affect-version: 2.5.6
affect-version: 2.5.7
affect-version: 2.5.8
affect-version: 2.5.9
affect-version: 3.0.0
affect-version: 3.0.1
affect-version: 3.0.2
affect-version: 3.0.3
affect-version: 3.0.4
affect-version: 3.0.5
affect-version: 4.0 Alpha 1
affect-version: 4.0 Beta 1
affect-version: 4.0 Beta 2
affect-version: 4.0 Initial
component: engine
fix-version: 4.0 RC 1
priority: minor
qa: covered by another tests
type: bug
Submitted by: @dyemanov
While UPDATE ... RETURNING and DELETE ... RETURNING require a SELECT privilege, INSERT ... RETURNING does not enforce that. It may look logical from the first glance, as there is usually no implicit cursor (that always exists for UPDATE/DELETE) and there's no OLD context for INSERT, so you can read only values from the row being inserted by yourself. However, some fields may be assigned implicitly (DEFAULT clause, GENERATED AS IDENTITY clause, BEFORE INSERT triggers) and the fact they can be read using the RETURNING clause looks like a minor security issue.
RETURNING is a non-standard extension, but the SQl specification includes <data change delta table> which is derived from rows changed by INSERT/UPDATE/DELETE statements, And it's explicitly specified that any column referenced in <data change delta table> require a SELECT permission on the target table for underlying INSERT/UPDATE/DELETE.
I suspect there may be a backward compatibility issue for those using INSERT ... RETURNING <generated PK> without a SELECT privilege granted. Thus backporting into v3 is questionable, I need other opinions in this regard.
Commits: 5e01527
====== Test Details ======
See functional/tabloid/dml-privileges-sufficiency.fbt
The text was updated successfully, but these errors were encountered: