Remove df.debug_connection(); reclassify #110 as non-security cleanup#250
Open
crprashant wants to merge 1 commit into
Open
Remove df.debug_connection(); reclassify #110 as non-security cleanup#250crprashant wants to merge 1 commit into
crprashant wants to merge 1 commit into
Conversation
crprashant
force-pushed
the
crprashant/fix-issue-110-drop-debug-connection
branch
from
6bf2085 to
588af81
Compare
… as non-security cleanup
pinodeca
force-pushed
the
crprashant/fix-issue-110-drop-debug-connection
branch
from
588af81 to
c7688f5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes
df.debug_connection()from the pg_durable SQL surface and reclassifies issue #110 from a security finding to non-security cleanup.df.debug_connection()returned the worker connection stringpostgres://<role>@<host>:<port>/<db>— no password or credential. The worker role it exposed is already world-readable through native PostgreSQL channels (thepg_durable.worker_roleGUC andpg_stat_activity.usename), and the remaining fields (database, host/port, schema) are connection-topology metadata, not secrets. The function disclosed nothing that isn't already available, so removing it is surface reduction — not a vulnerability fix.Closes #110.
What changed
0.2.3 → 0.2.4upgrade script (sql/pg_durable--0.2.3--0.2.4.sql)DROPs it, and fresh installs never emit it.src/dsl.rs): the Rust#[pg_extern]is annotatedsql = false, so fresh installs create noCREATE FUNCTION, but the underlying C wrapper symbol (debug_connection_wrapper) stays in the.so. Pre-0.2.4 schemas (which still carryCREATE FUNCTION ... 'debug_connection_wrapper') keep resolving the symbol until the customer runsALTER EXTENSION pg_durable UPDATE. No runtime behavior changes — the background worker builds its connection from an internal Rust helper, not this SQL function.src/lib.rs): the oldtest_debug_connection_returns_info(which called the now-removed function) is replaced bytest_connection_info_builders, which exercises thepostgres_connection_string()/backend_duroxide_schema()builders directly.CHANGELOG.md(new### Removedentry),docs/security-review/security-review.md(I-7 reclassified Medium → Info / ✅ Resolved, recommendation 6 struck through as superseded),docs/security-review/workbook-data.md(function row removed),docs/upgrade-testing.md(v0.2.3→v0.2.4 Security: restrict df.debug_connection() and redact connection info from PG logs #110 notes covering symbol retention, the dependent-objectRESTRICTbehavior, and aPROVIDER_COMPAT_START_VERSIONshim-removal reminder).Relationship to #242 (already merged)
This PR sits on top of #242, which simplified
df.grant_usage()/df.revoke_usage()by removing their per-functionEXECUTEallowlist (func_sigs). The original version of this PR also edited that allowlist to drop'df.debug_connection()'from it — but #242 removed the whole allowlist, so that edit is now obsolete. As a result:DROPs the function; nogrant_usagechange is needed to account for the removal.src/lib.rscarries only the unit-test change above — itsgrant_usagebody is Simplify df.grant_usage/df.revoke_usage privilege helpers #242's, untouched here.Testing
scripts/test-upgrade.sh): 36/36, including a new B2 regression test — afterALTER EXTENSION UPDATE,df.debug_connection()is absent and the simplifieddf.grant_usage()still runs cleanly and actually grants a privilege against the upgraded schema.tests/e2e/sql/18_delegated_grants.sql): added a fresh-install assertion thatdf.debug_connection()is never created. Full suite green except one unrelated, pre-existing failure (45_connection_limit_timeout) that is fixed separately in Implement full UUID instance/node IDs (#129) #238.cargo fmt --check, build,clippy(no new warnings), and unit tests (170 passed) all green.Upgrade & compatibility
.sovs old 0.2.2 / 0.2.3 schemas, no UPDATE): passes — thedebug_connection_wrapperC symbol is retained by thesql = falseshim.DROP FUNCTION IF EXISTS df.debug_connection()uses defaultRESTRICT; if a customer object depends on the function the upgrade aborts with a dependency error (intentional — noCASCADE).