Quick Links

Re: Limiting the operations that client-side code can perform upon its database backend's artifacts

From:	Julien Rouhaud <rjuju123(at)gmail(dot)com>
To:	Bryn Llewellyn <bryn(at)yugabyte(dot)com>
Cc:	pgsql-general list <pgsql-general(at)lists(dot)postgresql(dot)org>
Subject:	Re: Limiting the operations that client-side code can perform upon its database backend's artifacts
Date:	2022-09-27 06:58:58
Message-ID:	20220927065858.ibrmzrrbefjq5o4l@jrouhaud
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

On Mon, Sep 26, 2022 at 11:18:34AM -0700, Bryn Llewellyn wrote:
>
> My demo seems to show that when a program connects as "client", it can
> perform exactly and only the database operations that the database design
> specified.
>
> Am I missing something? In other words, can anybody show me a vulnerability?

What exactly prevents the client role from inserting e.g.

- 'robert''); drop table students; --'
- millions of 'cat' rows
- millions of 1GB-large rows

or just keep sending massive invalid query texts to fill the logs, or just
trying to connect until there's no available connection slots anymore, and then
keep spamming the server thousands of time per second to try to open new
connections, or ...?

In response to

Limiting the operations that client-side code can perform upon its database backend's artifacts at 2022-09-26 18:18:34 from Bryn Llewellyn

Responses

Re: Limiting the operations that client-side code can perform upon its database backend's artifacts at 2022-09-27 22:26:37 from Peter J. Holzer
Re: Limiting the operations that client-side code can perform upon its database backend's artifacts at 2022-09-28 00:11:36 from Bryn Llewellyn

Browse pgsql-general by date

	From	Date	Subject
Next Message	Andreas Fröde	2022-09-27 12:12:08	Re: Findout long unused tables in database
Previous Message	Andreas Kretschmer	2022-09-27 06:35:39	Re: Findout long unused tables in database