diff options
| author | Amit Kapila | 2024-02-29 04:15:20 +0000 |
|---|---|---|
| committer | Amit Kapila | 2024-02-29 04:15:20 +0000 |
| commit | b3f6b14cf48ffa81084072f1fdeee2fe9df20746 (patch) | |
| tree | 43bfea9a35c9fe1f09e022035a28d40175de418c /src/test | |
| parent | ada87a4d95fc39dfb1214edf6653390314b6f0df (diff) | |
Fixups for commit 93db6cbda0.
Ensure to set always-secure search path for both local and remote
connections during slot synchronization, so that malicious users can't
redirect user code (e.g. operators).
In the passing, improve the name of define, remove spurious return
statement, and a minor change in one of the comments.
Author: Bertrand Drouvot and Shveta Malik
Reviewed-by: Amit Kapila, Peter Smith
Discussion: https://postgr.es/m/514f6f2f-6833-4539-39f1-96cd1e011f23@enterprisedb.com
Discussion: https://postgr.es/m/ZdcejBDCr+wlVGnO@ip-10-97-1-34.eu-west-3.compute.internal
Discussion: https://postgr.es/m/CAJpy0uBNP=nrkNJkJSfF=jSocEh8vU2Owa8Rtpi=63fG=SvfVQ@mail.gmail.com
Diffstat (limited to 'src/test')
| -rw-r--r-- | src/test/recovery/t/040_standby_failover_slots_sync.pl | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/src/test/recovery/t/040_standby_failover_slots_sync.pl b/src/test/recovery/t/040_standby_failover_slots_sync.pl index 968aa7b05bf..825c26da6f2 100644 --- a/src/test/recovery/t/040_standby_failover_slots_sync.pl +++ b/src/test/recovery/t/040_standby_failover_slots_sync.pl @@ -362,6 +362,60 @@ ok( $stderr =~ $cascading_standby->stop; ################################################## +# Test to confirm that the slot synchronization is protected from malicious +# users. +################################################## + +$primary->psql('postgres', "CREATE DATABASE slotsync_test_db"); +$primary->wait_for_replay_catchup($standby1); + +$standby1->stop; + +# On the primary server, create '=' operator in another schema mapped to +# inequality function and redirect the queries to use new operator by setting +# search_path. The new '=' operator is created with leftarg as 'bigint' and +# right arg as 'int' to redirect 'count(*) = 1' in slot sync's query to use +# new '=' operator. +$primary->safe_psql( + 'slotsync_test_db', q{ + +CREATE ROLE repl_role REPLICATION LOGIN; +CREATE SCHEMA myschema; + +CREATE FUNCTION myschema.myintne(bigint, int) RETURNS bool as $$ + BEGIN + RETURN $1 <> $2; + END; + $$ LANGUAGE plpgsql immutable; + +CREATE OPERATOR myschema.= ( + leftarg = bigint, + rightarg = int, + procedure = myschema.myintne); + +ALTER DATABASE slotsync_test_db SET SEARCH_PATH TO myschema,pg_catalog; +GRANT USAGE on SCHEMA myschema TO repl_role; +}); + +# Start the standby with changed primary_conninfo. +$standby1->append_conf('postgresql.conf', "primary_conninfo = '$connstr_1 dbname=slotsync_test_db user=repl_role'"); +$standby1->start; + +# Run the synchronization function. If the sync flow was not prepared +# to handle such attacks, it would have failed during the validation +# of the primary_slot_name itself resulting in +# ERROR: slot synchronization requires valid primary_slot_name +$standby1->safe_psql('slotsync_test_db', "SELECT pg_sync_replication_slots();"); + +# Reset the dbname and user in primary_conninfo to the earlier values. +$standby1->append_conf('postgresql.conf', "primary_conninfo = '$connstr_1 dbname=postgres'"); +$standby1->reload; + +# Drop the newly created database. +$primary->psql('postgres', + q{DROP DATABASE slotsync_test_db;}); + +################################################## # Test to confirm that the slot sync worker exits on invalid GUC(s) and # get started again on valid GUC(s). ################################################## |