这是indexloc提供的服务,不要输入任何密码
Skip to content

Fixing vulnerability on Postgres DB handler that was exposing the database type #4294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 8, 2020
Merged

Fixing vulnerability on Postgres DB handler that was exposing the database type #4294

merged 4 commits into from
Apr 8, 2020

Conversation

@franciscofsales
Copy link
Contributor

@franciscofsales franciscofsales commented Apr 3, 2020
edited
Loading

Description

When using pagination on a query and using Hasura against postgres, if the users sends an invalid value for offset, example "1-1", the returned error is postgres query error. Exposing to the external world the database system being used. Changed the postgres specific error message to a generic database query error - no longer exposing database type.

Changelog

  • CHANGELOG.md is updated with user-facing content relevant to this PR.

Affected components

  • Server
  • Console
  • CLI
  • Docs
  • Community Content
  • Build System
  • Tests
  • Other (list it)

Related Issues

Solution and Design

Simply replace with a generic database mention.

Steps to test and verify

  • Send a query with pagination that on the offset parameter uses something that is not valid such as "1-1" - get an error that no longer refers postgres

Limitations, known bugs & workarounds

Nothing.

Server checklist

Nothing.

Catalog upgrade

Does this PR change Hasura Catalog version?

  • No
  • Yes
    • Updated docs with SQL for downgrading the catalog

Metadata

Does this PR add a new Metadata feature?

  • No
  • Yes
    • Does run_sql auto manages the new metadata through schema diffing?
      • Yes
      • Not required
    • Does run_sql auto manages the definitions of metadata on renaming?
      • Yes
      • Not required
    • Does export_metadata/replace_metadata supports the new metadata added?
      • Yes
      • Not required

GraphQL

  • No new GraphQL schema is generated
  • New GraphQL schema is being generated:
    • New types and typenames are correlated

Breaking changes

  • No Breaking changes

  • There are breaking changes:

    1. Metadata API

      Existing query types:

      • Modify args payload which is not backward compatible
      • Behavioural change of the API
      • Change in response JSON schema
      • Change in error code

    2. GraphQL API

      Schema Generation:

      • Change in any NamedType
      • Change in table field names

      Schema Resolve:-

      • Change in treatment of null value for any input fields

    3. Logging

      • Log JSON schema has changed
      • Log type names have changed

@franciscofsales franciscofsales requested review from a team as code owners April 3, 2020 19:22
@hasura-bot
Copy link
Contributor

hasura-bot commented Apr 3, 2020

Beep boop! 🤖

Hey @franciscofsales, thanks for your PR!

One of my human friends will review this PR and get back to you as soon as possible.

Stay awesome! 😎

@CLAassistant
Copy link

CLAassistant commented Apr 3, 2020
edited
Loading

CLA assistant check
All committers have signed the CLA.

@hasura-bot
Copy link
Contributor

hasura-bot commented Apr 3, 2020

Review app for commit b43459c deployed to Heroku: https://hge-ci-pull-4294.herokuapp.com
Docker image for server: hasura/graphql-engine:pull4294-b43459c0

marionschleifer
marionschleifer approved these changes Apr 3, 2020
View reviewed changes
Copy link
Contributor

@marionschleifer marionschleifer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changelog approved.

@hasura-bot
Copy link
Contributor

hasura-bot commented Apr 7, 2020

Review app for commit 1316f0f deployed to Heroku: https://hge-ci-pull-4294.herokuapp.com
Docker image for server: hasura/graphql-engine:pull4294-1316f0f6

@lexi-lambda lexi-lambda merged commit b02cd33 into hasura:master Apr 8, 2020
@hasura-bot
Copy link
Contributor

hasura-bot commented Apr 8, 2020

Beep boop! 🤖

GIF

Awesome work @franciscofsales! All of us at Hasura ❤️ what you did.

Thanks again 🤗

@hasura-bot
Copy link
Contributor

hasura-bot commented Apr 8, 2020

Review app https://hge-ci-pull-4294.herokuapp.com is deleted

@hasura-bot
Copy link
Contributor

hasura-bot commented Apr 8, 2020

Review app for commit 2c34a8d deployed to Heroku: https://hge-ci-pull-4294.herokuapp.com
Docker image for server: hasura/graphql-engine:pull4294-2c34a8d7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@lexi-lambda lexi-lambda lexi-lambda approved these changes

@marionschleifer marionschleifer marionschleifer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

c/server Related to server community-contrib 🙏🏽

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@franciscofsales @hasura-bot @CLAassistant @lexi-lambda @marionschleifer