ignore the new restrict/unrestric postgresql command #325
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch updates Apartment's `PostgresqlSchemaAdapter` to ignore the new `\restrict` and `\unrestrict` meta-commands issued in pg_dump as part of the fix for CVE-2025-8714 (see: https://www.postgresql.org/support/security/CVE-2025-8714/). These meta-commands are specific to the `psql` client (https://www.postgresql.org/docs/current/app-psql.html#APP-PSQL-META-COMMANDS). Becuase Apartment executes schema SQL restores directly through ActiveRecord, any `psql`-specific meta-commands will cause errors, such as: `ERROR: syntax error at or near "\" at character XX`. By ignoring these meta-commands, this patch ensures compatibility when loading database dumps generated by versions of `pg_dump` that include them.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## development #325 +/- ##
===============================================
- Coverage 75.11% 74.88% -0.23%
===============================================
Files 35 35
Lines 892 892
===============================================
- Hits 670 668 -2
- Misses 222 224 +2 ☔ View full report in Codecov by Sentry. |
|
I think this is safe. All '\restrict' does is stop psql from processing meta commands, but none of those will be processed by postgres anyways. |
|
Just got back from sabbatical; I'll have to think about this a bit more. In particular whether this needs to be fixed for the current v3 (seems like it does) and whether it'll even be valid for v4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch updates Apartment's
PostgresqlSchemaAdapterto ignore the new\restrictand\unrestrictmeta-commands introduced inpg_dumpas part of the fix for [CVE-2025-8714](https://www.postgresql.org/support/security/CVE-2025-8714/).These meta-commands are specific to the
psqlclient (https://www.postgresql.org/docs/current/app-psql.html#APP-PSQL-META-COMMANDS). Since Apartment restores schema SQL directly via ActiveRecord (not throughpsql), anypsql-specific meta-commands present in the dump would result in errors like:An example of this error can be seen in the project's test suite:
I was not entirely comfortable with that approach and proposed switching to
psqlto load the SQL generated bypg_dump(thus avoiding the need to explicitly filter out this meta-commands) in PR #324. But proved incompatible with transactional schema creation.I'd like confirmation from other reviewers that ignoring this is safe within the context of Apartment by my understanding that any meta-command present in the dump would manifest as the described error.
Fixes #322