archtechx/tenancy
1
0
Fork 0
mirror of https://github.com/archtechx/tenancy.git synced 2026-02-05 00:14:05 +00:00
Code Activity

Protect RLS policy creation statement from SQL injection

Browse source
This commit is contained in:
lukinovec 2023-06-28 10:36:59 +02:00
parent 1111607495
commit 15cdd6b2c1
1 changed files with 14 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

24
src/Commands/CreateRLSPoliciesForTenantTables.php
View file

@ -55,17 +55,19 @@ class CreateRLSPoliciesForTenantTables extends Command
$parentKeyName = $model->$parentName()->getForeignKeyName(); $parentKeyName = $model->$parentName()->getForeignKeyName();
$parentTable = $model->$parentName()->make()->getTable(); $parentTable = $model->$parentName()->make()->getTable();
DB::statement("CREATE POLICY {$table}_rls_policy ON {$table} USING ( $formattedStatement = DB::select("SELECT format('CREATE POLICY %I_rls_policy ON %I USING (
{$parentKeyName} IN ( %I IN (
SELECT id SELECT id
FROM {$parentTable} FROM %I
WHERE ({$tenantKeyName} = ( WHERE (%I = (
SELECT {$tenantKeyName} SELECT %I
FROM {$parentTable} FROM %I
WHERE id = {$parentKeyName} WHERE id = %I
)) ))
) )
)"); )', '$table', '$table', '$parentKeyName', '$parentTable', '$tenantKeyName', '$tenantKeyName', '$parentTable', '$parentKeyName')")[0]->format;
DB::statement($formattedStatement);
$this->enableRls($table); $this->enableRls($table);
@ -75,7 +77,9 @@ class CreateRLSPoliciesForTenantTables extends Command
protected function enableRls(string $table): void protected function enableRls(string $table): void
{ {
DB::statement("ALTER TABLE {$table} ENABLE ROW LEVEL SECURITY"); $formattedStatement = DB::select("SELECT format('ALTER TABLE %I', '$table')")[0]->format;
DB::statement("ALTER TABLE {$table} FORCE ROW LEVEL SECURITY");
DB::statement($formattedStatement . ' ENABLE ROW LEVEL SECURITY');
DB::statement($formattedStatement . ' FORCE ROW LEVEL SECURITY');
} }
} }