From: KaiGai Kohei on
(2010/07/20 2:13), Heikki Linnakangas wrote:
> On 09/07/10 06:47, KaiGai Kohei wrote:
>> When leaky and non-leaky functions are chained within a WHERE clause,
>> it will be ordered by the cost of functions. So, we have possibility
>> that leaky functions are executed earlier than non-leaky functions.
>
> No, that needs to be forbidden as part of the fix. Leaky functions must
> not be executed before all the quals from the view are evaluated.
>

IIUC, a view is extracted to a subquery in the rewriter phase, then it
can be pulled up to join clause at pull_up_subqueries(). In this case,
WHERE clause may have the quals come from different origins, isn't it?

E.g)
SELECT * FROM v1 WHERE f_malicious(v1.a);

At the rewriter:
-> SELECT v1.* FROM (SELECT * FROM t1 WHERE f_policy(t1.b)) v1 WHERE f_malicious(v1.a);

At the pull_up_subqueries()
-> SELECT * FROM t1 WHERE f_policy(t1.b) AND f_malicious(t1.a);
^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^
cost = 100 cost = 0.0001

Apart from an idea of secure/leaky function mark, isn't it necessary any
mechanism to enforce f_policy() shall be executed earlier than f_malicious()?

Thanks,
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: KaiGai Kohei on
(2010/07/20 2:19), Heikki Linnakangas wrote:
> On 19/07/10 20:08, Robert Haas wrote:
>> 2010/7/8 KaiGai Kohei<kaigai(a)ak.jp.nec.com>:
>>> (2010/07/08 22:08), Robert Haas wrote:
>>>> I think we pretty much have conceptual agreement on the shape of the
>>>> solution to this problem: when a view is created with CREATE SECURITY
>>>> VIEW, restrict functions and operators that might disclose tuple data
>>>> from being pushed down into view (unless, perhaps, the user invoking
>>>> the view has sufficient privileges to execute the underlying query
>>>> anyhow, e.g. superuser or view owner). What we have not resolved is
>>>> exactly how we're going to decide which functions and operators might
>>>> do such a dastardly thing. I think the viable options are as follows:
>>>>
>>>> 1. Adopt Heikki's proposal of treating indexable operators as
>>>> non-leaky.
>>>>
>>>> http://archives.postgresql.org/pgsql-hackers/2010-06/msg00291.php
>>>>
>>>> Or, perhaps, and even more restrictively, treat only
>>>> hashable/mergeable operators as non-leaky.
>>>>
>>>> 2. Add an explicit flag to pg_proc, which can only be set by
>>>> superusers (and which is cleared if a non-superuser modifies it in any
>>>> way), allowing a function to be tagged as non-leaky. I believe that
>>>> it would be reasonable to set this flag for all of our built-in
>>>> indexable operators (though I'd read the code before doing it), but it
>>>> would remove the need for the assumption that third-party operators
>>>> are equally sane.
>>>>
>>>> CREATE OR REPLACE FUNCTION doesnt_leak() RETURNS integer AS $$SELECT
>>>> 42$$ IMMUTABLE SEAWORTHY; -- doesn't leak
>>>>
>>>> This problem is not going away, so we should try to decide on
>>>> something.
>>>>
>>> I'd like to vote the second option, because this approach will be also
>>> applied on another aspect of leaky views.
>>>
>>> When leaky and non-leaky functions are chained within a WHERE clause,
>>> it will be ordered by the cost of functions. So, we have possibility
>>> that leaky functions are executed earlier than non-leaky functions.
>>>
>>> It will not be an easy work to mark built-in functions as either leaky
>>> or non-leaky, but it seems to me the most straight forward solution.
>>
>> Does anyone else have an opinion on this?
>
> I have a bad feeling that marking functions explicitly as seaworthy is
> going to be hard to get right, and every time you get that wrong it's a
> security issue.
>
Yes, it is indeed a uphill work to mark either secure or leaky on the
functions correctly. :(

> On the other hand, if it's enough from a performance
> point of view to review and mark only a few built-in functions like
> index operators, maybe it's ok.
>
I also think it is a worthful idea to try as a proof-of-concept.

If we only allow to push down indexable operators, do you have any idea
to distinguish between a purely indexable operator qual and others?
At the distribute_qual_to_rels() stage, how can we find out a qual which
is consist of only indexable operators?

> It would be easier to assess this if we had a patch to play with that
> contained all the planner changes to keep track of the seaworthiness of
> functions and apply the quals in right order. You could then try out
> different scenarios to see what the performance is like.
>
> I guess what I'm saying is "write a patch, and I'll shoot it down when
> you're done" :-/. But hopefully the planner changes don't depend much on
> how we deduce which quals are leaky.
>
I agree. The decision to mark either secure or leaky on functions should
be done independently from the planner code, like contain_volatile_functions().

Thanks,
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Robert Haas on
2010/7/21 KaiGai Kohei <kaigai(a)ak.jp.nec.com>:
> (2010/07/20 2:13), Heikki Linnakangas wrote:
>> On 09/07/10 06:47, KaiGai Kohei wrote:
>>> When leaky and non-leaky functions are chained within a WHERE clause,
>>> it will be ordered by the cost of functions. So, we have possibility
>>> that leaky functions are executed earlier than non-leaky functions.
>>
>> No, that needs to be forbidden as part of the fix. Leaky functions must
>> not be executed before all the quals from the view are evaluated.
>>
>
> IIUC, a view is extracted to a subquery in the rewriter phase, then it
> can be pulled up to join clause at pull_up_subqueries(). In this case,
> WHERE clause may have the quals come from different origins, isn't it?
>
> E.g)
> �SELECT * FROM v1 WHERE f_malicious(v1.a);
>
> �At the rewriter:
> �-> SELECT v1.* FROM (SELECT * FROM t1 WHERE f_policy(t1.b)) v1 WHERE f_malicious(v1.a);
>
> �At the pull_up_subqueries()
> �-> SELECT * FROM t1 WHERE f_policy(t1.b) AND f_malicious(t1.a);
> � � � � � � � � � � � � � �^^^^^^^^^^^^^^ � � ^^^^^^^^^^^^^^^^^
> � � � � � � � � � � � � � � cost = 100 � � � � cost = 0.0001
>
> Apart from an idea of secure/leaky function mark, isn't it necessary any
> mechanism to enforce f_policy() shall be executed earlier than f_malicious()?

I think you guys are in fact agreeing with each other.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise Postgres Company

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Robert Haas on
2010/7/21 KaiGai Kohei <kaigai(a)ak.jp.nec.com>:
>> On the other hand, if it's enough from a performance
>> point of view to review and mark only a few built-in functions like
>> index operators, maybe it's ok.
>>
> I also think it is a worthful idea to try as a proof-of-concept.

Yeah. So, should we mark this patch as Returned with Feedback, and
you can submit a proof-of-concept patch for the next CF?

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise Postgres Company

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: KaiGai Kohei on
(2010/07/21 19:26), Robert Haas wrote:
> 2010/7/21 KaiGai Kohei<kaigai(a)ak.jp.nec.com>:
>>> On the other hand, if it's enough from a performance
>>> point of view to review and mark only a few built-in functions like
>>> index operators, maybe it's ok.
>>>
>> I also think it is a worthful idea to try as a proof-of-concept.
>
> Yeah. So, should we mark this patch as Returned with Feedback, and
> you can submit a proof-of-concept patch for the next CF?
>
Yes, it's fair enough.

--
KaiGai Kohei <kaigai(a)kaigai.gr.jp>

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers