Skip to content

Do not log inserted or updated columns against the SELECT grant.#323

Open
dwsteele wants to merge 2 commits into
pgaudit:integrationfrom
dwsteele:dev-acl-fix
Open

Do not log inserted or updated columns against the SELECT grant.#323
dwsteele wants to merge 2 commits into
pgaudit:integrationfrom
dwsteele:dev-acl-fix

Conversation

@dwsteele

Copy link
Copy Markdown
Contributor

log_select_dml() builds auditPerms as the union of all permissions the statement requires, which for INSERT ... RETURNING or UPDATE ... RETURNING includes ACL_SELECT alongside ACL_INSERT/ACL_UPDATE. The inserted- and updated-column checks passed this combined mask to audit_on_any_attribute(), so a column-level SELECT grant matched a column that was only written (inserted or updated) but never read. This produced a spurious audit record, e.g. GRANT SELECT (col2) caused INSERT INTO t (col1, col2) VALUES (...) RETURNING col1 to be logged even though col2 is not returned.

Check insertedCols against ACL_INSERT and updatedCols against ACL_UPDATE so each column set is tested only for the access it actually represents. The select-column check already used ACL_SELECT and is unchanged.

Add regression coverage with INSERT/UPDATE ... RETURNING cases that exercise both the written-but-not-returned (not logged) and returned (logged) paths.

Reported-by: @fabiobaiao

log_select_dml() builds auditPerms as the union of all permissions the statement requires, which for INSERT ... RETURNING or UPDATE ... RETURNING includes ACL_SELECT alongside ACL_INSERT/ACL_UPDATE. The inserted- and updated-column checks passed this combined mask to audit_on_any_attribute(), so a column-level SELECT grant matched a column that was only written (inserted or updated) but never read. This produced a spurious audit record, e.g. GRANT SELECT (col2) caused INSERT INTO t (col1, col2) VALUES (...) RETURNING col1 to be logged even though col2 is not returned.

Check insertedCols against ACL_INSERT and updatedCols against ACL_UPDATE so each column set is tested only for the access it actually represents. The select-column check already used ACL_SELECT and is unchanged.

Add regression coverage with INSERT/UPDATE ... RETURNING cases that exercise both the written-but-not-returned (not logged) and returned (logged) paths.

Reported-by: @fabiobaiao
Comment thread sql/pgaudit.sql
-- Object logged because of:
-- select (col2) on test5 (col2 is read via RETURNING)
UPDATE public.test5
SET col1 = 2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are non-matching columns here significant? i.e., would SET col2 = ... returning col2 behave the same way? Also do any OLD/NEW references matter here, or am I thinking of a trigger-only behavior?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are non-matching columns here significant?

Yes. We are trying to show that only the returning clause generates an audit record.

i.e., would SET col2 = ... returning col2 behave the same way?

It would, since the part triggering the audit is the returning clause. I added a test in 4625539 to demonstrate this.

Also do any OLD/NEW references matter here, or am I thinking of a trigger-only behavior?

They are not significant here since we are only examining the column ACLs. The actual values are not relevant. I added a test in 4625539 to prove this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

INSERT with RETURNING emits a log over a column that's not being selected

2 participants