security: GUC to block access to local filesystem

duckdb / pg_duckdb

DuckDB-powered Postgres for high performance apps & analytics.

MIT License

1.44k stars 54 forks source link

security: GUC to block access to local filesystem #105

Closed wuputah closed 1 week ago

wuputah commented 2 months ago

Discussed this a long time ago... but currently we allow DuckDB to read from the local filesystem. This is a security risk; the CSV reader is particularly easy to use here since it will read just about any plain text file.

This should instead be controllable via a GUC, default disabled, that can only be enabled by superuser.

JohnHVancouver commented 2 months ago

Another option would be to restrict it to certain directories?

wuputah commented 2 months ago

Yeah, could certainly do that as a further enhancement. My thought was you either are cool with accessing the filesystem (for testing, running on localhost, etc), or you're not (hosted / production environment).

wearpants commented 2 months ago

I have production uses for local data (not just dev/testing) & so would like this restricted to certain directories, instead of just on/off

/etc/passwd is a world-readable CSV file 😅

JelteF commented 2 weeks ago

Moved this to 0.1.0 milestone since this should be very easy to address in #217 by setting disabled_filesystems = 'LocalFilesystem'

wuputah commented 2 weeks ago

ah, excellent!