search

dalibo / explain.dalibo.com

PEV2 Flask service. Visualizing and understanding PostgreSQL EXPLAIN plans made easy.
PostgreSQL License
40 stars 15 forks source link

Use more entropy when generating plan links #4

Closed nightpool closed 1 year ago

nightpool commented 2 years ago

When I generate an explain query link to share with my team, I expect it to only be viewable by the people I send it to. However, the existing query plan links are very short, and extremely low entropy—there are only 140,608 possible plans with 3 character IDs! I was easily able to view other stored plans on the server by just guessing random 3-letter alphabetic IDs. Please update your ID system so that you have at least 64, and preferably 128, bits of entropy, to make it harder to enumerate random query plans.

pgiraud commented 2 years ago

Mentioned here https://github.com/dalibo/pev2/issues/319#issuecomment-749248822

pgiraud commented 2 years ago

@nightpool issue transferred to the repository where the code serving explain.dalibo.com is published.