reductionista commented on a change in pull request #554:
URL: https://github.com/apache/madlib/pull/554#discussion_r586978514
##########
File path: src/ports/postgres/modules/utilities/utilities.py_in
##########
@@ -775,6 +775,17 @@ def is_superuser(user):
return plpy.execute("SELECT rolsuper FROM pg_catalog.pg_roles "\
"WHERE rolname = '{0}'".format(user))[0]['rolsuper']
+def get_table_owner(schema_table):
+
+ split_table = schema_table.split(".",1)
+ schema = split_table[0]
Review comment:
I think we need to be more careful here.
Let's say there is a custom function table an admin created called
`madlib.custom_functions`
I think I see a loophole in the way `get_table_owner` is implemented which
allows any ordinary user to gain admin access.
Steps:
1. User creates a table in public schema named
"madlib.custom_functions.haha", filling it with their own malicious custom
functions.
2. User sets search_path=madlib,public
3. Malicious user passes object_table='madlib.custom_functions.haha' to
MADlib function
Seems like this would pass the security check, and then proceed to load the
custom functions from the user's table instead of the admin's table.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
