Merge pull request #66 from sev-2/feature/sec-rpc

FEAT: Follow Supabase Security Advisor to Use set_path in Functions
sev-2 · Sep 9, 2024 · 9d18cdc · 9d18cdc
2 parents f53c51d + ab24ec9
commit 9d18cdc
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 4 deletions.
diff --git a/pkg/resource/import.go b/pkg/resource/import.go
@@ -263,7 +263,7 @@ func generateImportResource(config *raiden.Config, importState *state.LocalState
 			if errGenRpc := generator.GenerateRpc(projectPath, config.ProjectName, resource.Functions, resource.Tables, captureFunc); errGenRpc != nil {
 				errChan <- errGenRpc
 			}
-			ImportLogger.Info("finish generate roles")
+			ImportLogger.Info("finish generate functions")
 		}
 
 		if len(resource.Storages) > 0 {

diff --git a/pkg/state/rpc_test.go b/pkg/state/rpc_test.go
@@ -89,7 +89,7 @@ func TestBindRpcFunction(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "get_submissions", fn.Name)
 	assert.Equal(t, "public", fn.Schema)
-	assert.Equal(t, "create or replace function public.get_submissions(scouter_name character varying, candidate_name text) returns table(id integer, created_at timestamp without time zone, sc_name character varying, c_name character varying) language plpgsql as $function$ begin return query select s.id, s.created_at, sc.name as sc_name, c.name as c_name from submission s inner join scouter sc on s.scouter_id = sc.scouter_id inner join candidate c on s.candidate_id = c.candidate_id where sc.name = scouter_name and c.name = candidate_name ; end; $function$", fn.CompleteStatement)
+	assert.Equal(t, "create or replace function public.get_submissions(scouter_name character varying, candidate_name text) returns table(id integer, created_at timestamp without time zone, sc_name character varying, c_name character varying) language plpgsql set search_path = '' as $function$ begin return query select s.id, s.created_at, sc.name as sc_name, c.name as c_name from submission s inner join scouter sc on s.scouter_id = sc.scouter_id inner join candidate c on s.candidate_id = c.candidate_id where sc.name = scouter_name and c.name = candidate_name ; end; $function$", fn.CompleteStatement)
 }
 
 func TestExtractRpcResult_ToDeleteFlatMap(t *testing.T) {
@@ -145,5 +145,5 @@ func TestRpcFunction_ReturnTrigger(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "create_profile", fn.Name)
 	assert.Equal(t, "public", fn.Schema)
-	assert.Equal(t, "create or replace function public.create_profile() returns trigger language plpgsql security definer as $function$ begin insert into public.users (firstname,lastname, email) values ( new.raw_user_meta_data ->> 'name', new.raw_user_meta_data ->> 'name', new.raw_user_meta_data ->> 'email' ) ; return new ; end; $function$", fn.CompleteStatement)
+	assert.Equal(t, "create or replace function public.create_profile() returns trigger language plpgsql security definer set search_path = '' as $function$ begin insert into public.users (firstname,lastname, email) values ( new.raw_user_meta_data ->> 'name', new.raw_user_meta_data ->> 'name', new.raw_user_meta_data ->> 'email' ) ; return new ; end; $function$", fn.CompleteStatement)
 }
diff --git a/pkg/state/state.go b/pkg/state/state.go
@@ -376,6 +376,7 @@ func Save(state *State) error {
 	defer file.Close()
 
 	StateLogger.Debug("generate local state", "path", filePath)
+	gob.Register(map[string]interface{}{})
 	encoder := gob.NewEncoder(file)
 	if err := encoder.Encode(state); err != nil {
 		RestoreFromTmp(tmpFilePath)
@@ -451,6 +452,7 @@ func Load() (*State, error) {
 	defer file.Close()
 
 	state := &State{}
+	gob.Register(map[string]interface{}{})
 	decoder := gob.NewDecoder(file)
 	if err := decoder.Decode(state); err != nil {
 		return nil, err

diff --git a/rpc_test.go b/rpc_test.go
@@ -69,7 +69,7 @@ func TestCreateQuery(t *testing.T) {
 	assert.Equal(t, "get_submissions", rpc.GetName())
 	assert.Equal(t, "public", rpc.GetSchema())
 
-	expectedCompleteQuery := "create or replace function public.get_submissions(scouter_name character varying, candidate_name text) returns table(id integer, created_at timestamp without time zone, sc_name character varying, c_name character varying) language plpgsql as $function$ begin return query select s.id, s.created_at, sc.name as sc_name, c.name as c_name from submission s inner join scouter sc on s.scouter_id = sc.scouter_id inner join candidate c on s.candidate_id = c.candidate_id where sc.name = scouter_name and c.name = candidate_name ; end; $function$"
+	expectedCompleteQuery := "create or replace function public.get_submissions(scouter_name character varying, candidate_name text) returns table(id integer, created_at timestamp without time zone, sc_name character varying, c_name character varying) language plpgsql set search_path = '' as $function$ begin return query select s.id, s.created_at, sc.name as sc_name, c.name as c_name from submission s inner join scouter sc on s.scouter_id = sc.scouter_id inner join candidate c on s.candidate_id = c.candidate_id where sc.name = scouter_name and c.name = candidate_name ; end; $function$"
 	assert.Equal(t, expectedCompleteQuery, rpc.GetCompleteStmt())
 }