feat: auth error caused by invalid characters in user or db_name (#334)

supabase · May 2, 2024 · f468217 · f468217
1 parent dbb48ff
commit f468217
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 9 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.1.49
+1.1.50
diff --git a/lib/supavisor/client_handler.ex b/lib/supavisor/client_handler.ex
@@ -154,16 +154,26 @@ defmodule Supavisor.ClientHandler do
         Logger.debug("ClientHandler: Client startup message: #{inspect(hello)}")
         {type, {user, tenant_or_alias, db_name}} = HH.parse_user_info(hello.payload)
 
-        log_level =
-          case hello.payload["options"]["log_level"] do
-            nil -> nil
-            level -> String.to_existing_atom(level)
-          end
+        not_allowed = ["\"", "\\"]
+
+        if String.contains?(user, not_allowed) or String.contains?(db_name, not_allowed) do
+          reason = "Invalid characters in user or db_name"
+          Logger.error("ClientHandler: #{inspect(reason)}")
+          Telem.client_join(:fail, data.id)
+          HH.send_error(data.sock, "XX000", "Authentication error, reason: #{inspect(reason)}")
+          {:stop, {:shutdown, :invalid_characters}}
+        else
+          log_level =
+            case hello.payload["options"]["log_level"] do
+              nil -> nil
+              level -> String.to_existing_atom(level)
+            end
 
-        H.set_log_level(log_level)
+          H.set_log_level(log_level)
 
-        {:keep_state, %{data | log_level: log_level},
-         {:next_event, :internal, {:hello, {type, {user, tenant_or_alias, db_name}}}}}
+          {:keep_state, %{data | log_level: log_level},
+           {:next_event, :internal, {:hello, {type, {user, tenant_or_alias, db_name}}}}}
+        end
 
       {:error, error} ->
         Logger.error("ClientHandler: Client startup message error: #{inspect(error)}")

diff --git a/test/integration/proxy_test.exs b/test/integration/proxy_test.exs
@@ -248,6 +248,28 @@ defmodule Supavisor.Integration.ProxyTest do
     assert [%Postgrex.Result{rows: [["1"]]}] = P.SimpleConnection.call(pid, {:query, "select 1;"})
   end
 
+  test "invalid characters in user or db_name" do
+    Process.flag(:trap_exit, true)
+    db_conf = Application.get_env(:supavisor, Repo)
+
+    url =
+      "postgresql://user\"user.#{@tenant}:#{db_conf[:password]}@#{db_conf[:hostname]}:#{Application.get_env(:supavisor, :proxy_port_transaction)}/postgres\\\\\\\\\"\\"
+
+    assert =
+      {:error,
+       {_,
+        {:stop,
+         %Postgrex.Error{
+           postgres: %{
+             code: :internal_error,
+             message: "Authentication error, reason: \"Invalid characters in user or db_name\"",
+             pg_code: "XX000",
+             severity: "FATAL",
+             unknown: "FATAL"
+           }
+         }, _}}} = parse_uri(url) |> single_connection()
+  end
+
   defp single_connection(db_conf, c_port \\ nil) when is_list(db_conf) do
     port = c_port || db_conf[:port]