Check if schema already exists before create extension [BF-2375]

If the schema aiven_extras already exists and belongs to an unprivileged user before adding the extension, it’s possible to abuse it to run some queries in the context of the superuser. [BF-2375]
aiven · Feb 14, 2024 · 005a008 · 005a008
1 parent 2ad4fc1
commit 005a008
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -1,5 +1,5 @@
-short_ver = 1.1.11
-last_ver = 1.1.10
+short_ver = 1.1.12
+last_ver = 1.1.11
 long_ver = $(shell git describe --long 2>/dev/null || echo $(short_ver)-0-unknown-g`git describe --always`)
 generated = aiven_extras.control \
 			sql/aiven_extras--$(short_ver).sql \

diff --git a/sql/aiven_extras--1.1.10--1.1.11.sql b/sql/aiven_extras--1.1.10--1.1.11.sql
@@ -0,0 +1 @@
+-- NOOP
diff --git a/sql/aiven_extras.sql b/sql/aiven_extras.sql
@@ -1,3 +1,14 @@
+-- Check that if schema already exist
+DO $$
+BEGIN
+    IF EXISTS (
+        SELECT * FROM information_schema.schemata WHERE schema_name = 'aiven_extras' AND schema_owner <> current_user
+    ) THEN
+        RAISE EXCEPTION 'Cannot create extension, schema ''aiven_extras'' owned by other user already exists';
+    END IF;
+END
+$$ LANGUAGE 'plpgsql';
+
 DO LANGUAGE plpgsql
 $OUTER$
 DECLARE