From f419e3a657ff3b8c1a46979325cbb91ea10bc0f7 Mon Sep 17 00:00:00 2001 From: Raminder Singh Date: Fri, 10 Nov 2023 13:35:42 +0530 Subject: [PATCH] only allow certain extensions in requires key in control file --- ...ow_publishing_relocatable_and_requires.sql | 134 ++++++++++++++++++ 1 file changed, 134 insertions(+) diff --git a/supabase/migrations/20231110061036_allow_publishing_relocatable_and_requires.sql b/supabase/migrations/20231110061036_allow_publishing_relocatable_and_requires.sql index 0b502ef3..8cea28af 100644 --- a/supabase/migrations/20231110061036_allow_publishing_relocatable_and_requires.sql +++ b/supabase/migrations/20231110061036_allow_publishing_relocatable_and_requires.sql @@ -1,3 +1,124 @@ +-- A list of extensions which are allowed in the requires key of the control file +create table app.allowed_extensions ( + name text primary key +); + +insert into app.allowed_extensions (name) +values +-- extensions available on Supabase + ('citext'), + ('pg_cron'), + ('pg_graphql'), + ('pg_stat_statements'), + ('pg_trgm'), + ('pg_crypto'), + ('pg_jwt'), + ('pg_sodium'), + ('plpgsql'), + ('uuid-ossp'), + ('address_standardizer'), + ('address_standardizer_data_us'), + ('autoinc'), + ('bloom'), + ('btree_gin'), + ('btree_gist'), + ('cube'), + ('dblink'), + ('dict_int'), + ('dict_xsyn'), + ('earthdistance'), + ('fuzzystrmatch'), + ('hstore'), + ('http'), + ('hypopg'), + ('insert_username'), + ('intarray'), + ('isn'), + ('ltree'), + ('moddatetime'), + ('pg_hashids'), + ('pg_jsonschema'), + ('pg_net'), + ('pg_repack'), + ('pg_stat_monitor'), + ('pg_walinspect'), + ('pgaudit'), + ('pgroonga'), + ('pgroonga_database'), + ('pgrouting'), + ('pgrowlocks'), + ('pgtap'), + ('plcoffee'), + ('pljava'), + ('plls'), + ('plpgsql_check'), + ('plv8'), + ('postgis'), + ('postgis_raster'), + ('postgis_sfcgal'), + ('postgis_tiger_geocoder'), + ('postgis_topology'), + ('postgres_fdw'), + ('refint'), + ('rum'), + ('seg'), + ('sslinfo'), + ('supautils'), + ('tablefunc'), + ('tcn'), + ('timescaledb'), + ('tsm_system_rows'), + ('tsm_system_time'), + ('unaccent'), + ('vector'), + ('wrappers'), + +-- extensions available on AWS (except those already in Supabase) +-- full list here: https://docs.aws.amazon.com/AmazonRDS/latest/PostgreSQLReleaseNotes/postgresql-extensions.html + ('amcheck'), + ('aws_commons'), + ('aws_lambda'), + ('aws_s3'), + ('bool_plperl'), + ('decoder_raw'), + ('h3-pg'), + ('hll'), + ('hstore_plperl'), + ('intagg'), + ('ip4r'), + ('jsonb_plperl'), + ('lo'), + ('log_fdw'), + ('mysql_fdw'), + ('old_snapshot'), + ('oracle_fdw'), + ('orafce'), + ('pageinspect'), + ('pg_bigm'), + ('pg_buffercache'), + ('pg_freespacemap'), + ('pg_hint_plan'), + ('pg_partman'), + ('pg_prewarm'), + ('pg_proctab'), + ('pg_similarity'), + ('pg_tle'), + ('pg_transport'), + ('pg_visibility'), + ('pgcrypto'), + ('pgstattuple'), + ('pgvector'), + ('plperl'), + ('plprofiler'), + ('plrust'), + ('pltcl'), + ('prefix'), + ('rdkit'), + ('rds_tools'), + ('tds_fdw'), + ('test_parser'), + ('wal2json'); + grant insert (partial_name, handle, control_description, control_relocatable, control_requires) on app.packages to authenticated; @@ -17,11 +138,24 @@ create or replace function public.publish_package( as $$ declare account app.accounts = account from app.accounts account where id = auth.uid(); + require text; begin if account.handle is null then raise exception 'user not logged in'; end if; + foreach require in array requires + loop + if not exists ( + select true + from app.allowed_extensions + where + name = require + ) then + raise exception '`requires` in the control file can''t have `%` in it', require; + end if; + end loop; + insert into app.packages(handle, partial_name, control_description, control_relocatable, control_requires) values (account.handle, package_name, package_description, relocatable, requires) on conflict on constraint packages_handle_partial_name_key