Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sZ9XA-00GkiF-Cw for pgsql-hackers@arkaria.postgresql.org; Wed, 31 Jul 2024 13:38:28 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sZ9X7-006wpa-J3 for pgsql-hackers@arkaria.postgresql.org; Wed, 31 Jul 2024 13:38:25 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sZ9X7-006wpQ-3y for pgsql-hackers@lists.postgresql.org; Wed, 31 Jul 2024 13:38:25 +0000 Received: from mail-ua1-x931.google.com ([2607:f8b0:4864:20::931]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sZ9X3-002RLy-Mp for pgsql-hackers@lists.postgresql.org; Wed, 31 Jul 2024 13:38:24 +0000 Received: by mail-ua1-x931.google.com with SMTP id a1e0cc1a2514c-810177d1760so1899796241.2 for ; Wed, 31 Jul 2024 06:38:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dunslane-net.20230601.gappssmtp.com; s=20230601; t=1722433099; x=1723037899; darn=lists.postgresql.org; h=content-transfer-encoding:in-reply-to:autocrypt:content-language :from:references:cc:to:subject:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=cLW+CrLpfhljeVMSgpy9eMirHJ4iO0DKzIyBQH/rpew=; b=hwG0WDN9bYkLWYjD2gkgCk9WpmsxUuDCSRBMCMht2VowhrdnJNO53sXhUrLLPPrGhn mEqvcox/qapSkhqqExZTp9RlJu8SupxiJFt4UeD8feQ36Na7RS19hd41pA3Rwv0JfSiN XyzubqKuN7fY82ZSBF3Q93WtbMmswUE5pbKKwcYJx9NJ27GLfaIWqBufuVl4xPW2VhzQ 2puSQnq5XaN/+BWGYt3gd9QDC3js+X9W00XiDY6TqtNVTgq9SlkRKHulaT4pLx7dPMNF FL2yvlbuuQmHLhqFO+MyRzc1m1XMHwGjtSWt2e4qQS+Smu9dkJu8skQPKAzilTChyDv/ 1LUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722433099; x=1723037899; h=content-transfer-encoding:in-reply-to:autocrypt:content-language :from:references:cc:to:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cLW+CrLpfhljeVMSgpy9eMirHJ4iO0DKzIyBQH/rpew=; b=cn4wyWY477DhLwwA31hq2WkuOg/yPZVQ/1sDaj6Fp4KqhtwQwpkxutsL/CjhGfP0CW XK26hj4cPr9/+xmrV6X50LxRTGy63iw3sOKayHmbshmqwJVhAEFhx0m4THvFnfFfTqXr 4K3/LEcsqkBoflzdL3lge/lOUWSNQxyaz29KF7LXuxdGqb1VUpqXs8Y5DGnTTwsx9pHu RJZw9QTruSBns4pfWM98e11YROOBFnJIwA0sgIrDDZjnMrTinJsBLAyStHQqSuiNJcJt cp2JnECV4HXltCAHP2XB5+psrNy721fZOBXU1gMqLn04i2/xlmGHbVREG0N2z87//iuS l64w== X-Gm-Message-State: AOJu0YxODK5sbSIg5PzpUKIYqaDOCJ7f/yruIK0CG9kyz69kOXdkpZaV lLV/ftmtvO80yrijLPNndpRRI8PCf+pctlAYsZ5ISFZrVLkjXvFNNdfZCg+tntk= X-Google-Smtp-Source: AGHT+IGJq2sDNrUZ7YGO2mzecd2opQpcvBArf2hQ8N8k+5n6A+0rd4CwYnif8Vl07kbOVWgbK6TdHw== X-Received: by 2002:a05:6102:3ed3:b0:493:b9f8:82f2 with SMTP id ada2fe7eead31-493fa46cb85mr20050154137.25.1722433099259; Wed, 31 Jul 2024 06:38:19 -0700 (PDT) Received: from ?IPV6:2605:a601:9180:9800::2bb? ([2605:a601:9180:9800::2bb]) by smtp.googlemail.com with ESMTPSA id af79cd13be357-7a1e6345db2sm552441485a.99.2024.07.31.06.38.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 31 Jul 2024 06:38:18 -0700 (PDT) Message-ID: <3bc9ce78-054f-497c-8402-1cfda0bbc020@dunslane.net> Date: Wed, 31 Jul 2024 09:38:16 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: can we mark upper/lower/textlike functions leakproof? To: Joe Conway , David Rowley Cc: PostgreSQL Hackers References: <50d3a76e-afaa-44ed-aef5-6fb7f23cccab@dunslane.net> <5bef8bb0-7a50-4bcf-b052-2a12c3cda0f5@joeconway.com> From: Andrew Dunstan Content-Language: en-US Autocrypt: addr=andrew@dunslane.net; keydata= xsBNBE7KWFkBCAClridxur2AIc7eW2AR7izbfp3EnNefie2HbLF0izW5Ik5UjX2HBXBx4syI gY6b0ugohXrr274+baoAlvSbq6cAoQuEVrk5IZFzt20b1Xkx65FwGSEj526yiKLocqkJceSq Xr9xcA5SGY+FZv441chh5SU92v4q6z+6LPpoHOh97ptAVXZYNTtU0LevyvD5lja0TzbvJm6C eFXitJfnm1pLEr0DGJCR/iUOl/N62Kh4855zZC7NHIjQHPOvV5Stz/l5ilDhvGVk+xkXFPys SjZoUr1rXhYLpiyi5sR0X9FHXT0KnGuz1F5ERO7ZTLSSQ6fJwPj6gOk9K+vvoKvoeql5ABEB AAHNJEFuZHJldyBEdW5zdGFuIDxhbmRyZXdAZHVuc2xhbmUubmV0PsLAmwQTAQgARQIbAwIX gAIZAQULCQgHAgMiAgEGFQoJCAsCBBYCAwECHgcWIQTkPlhGHfx8v0RpFaWZ+n/LWfw7gQUC ZFlxxwUJGVGAbgAKCRCZ+n/LWfw7gXikB/9ZdcUy6CTBFIIuL/bVsc1eLEW/gJBjJBF6HxNY xgEkAgXAp4Lg4A5U+QB9GouFr7+GYxF0BU4hzoGhNPUWltxnHdMWP8nC/38LAqgMi8L/bbsm HW5YPBdWYaAZAPJQVfOAgjTbRUb26KSprpyrrJKW0ZmrZfjhNPcQ72jpWzoPLQqx2X6B0fru 1jq+cBh8lb6r1mJTim1T3JIn+F/v5VpdQS+EL8xqsHkfzKjIPsW3CIXpkypSk6saA55Rkkbl 26AW8ftPVB0Q6Lnn6FLt9CP0MGNixBQ55yq8r1K+nCBvCCjvQjM8RDm0UUum0WNl+ifQgTLO E8TWEnwVtkBf+3QWzsBNBE7KWFkBCADRnOM0FCzsYW6jtncg+dWIagjUZpvaClmqn/sJluLa Q3v1VXMQJzYs3eC1gh386W+XBwLRpDj3jzH81lX+p73Re3d3oJW7X+ffsxuzu5ZVdMUkqBYo nkAbKxr6gyJ12F/+JkUVzLcoTN+d/7YsQvUVi7NaKH8mJgjz112O4fUe3p9wfAaFa0RXHc5S GPzRTYRRlv/XZBIho4J2tkZOnteZJZ+GbxQVlINt6fd8P6al3MWOvpP/ExJPguEfjOsO6Njy xjo3WfpD4lHMOR/Oc3/8mScEF84rF2jXbsFgelWnbPWAvXY+pD0dXOFRkagGmC/viwBDqq5b 5tk76kKmUbZxABEBAAHCwHwEGAEIACYCGwwWIQTkPlhGHfx8v0RpFaWZ+n/LWfw7gQUCZFlx 5wUJGVGAjgAKCRCZ+n/LWfw7gf+iB/4g8CPY5jihf5r/8EsoIGe2H+dpVmpPF8YGBzTIvCz/ fQoOq8AX/pE76QEuFnFZWfjw+wgBXgCVmkox2Eflkk6z4ND3pcwGZ6CfCxTQCDk/dij+2DQ4 6bmDCy/sBgcbz9mTpoLC11HLoPae6YN9nBNQRZDcEFEu54OaVOqlIdbA6m+POIBCXZdHOFc0 WoDTgxHRzC1jgQNidyd6tKqcsVJs0dzF0oKTmFFmUAqTdJO12LBuNA1rlqrR3EtpYk8B/wtS 5dIMD7Q8hwQpL+4C6GNpb6ZKnPkLi47pDOLhz2qBrqN+rqUEsT3YnExYpzj5yOBi+FlmV1Hw 49QYe1sn2ZPs In-Reply-To: <5bef8bb0-7a50-4bcf-b052-2a12c3cda0f5@joeconway.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 2024-07-31 We 9:14 AM, Joe Conway wrote: > On 7/31/24 05:47, Andrew Dunstan wrote: >> On 2024-07-30 Tu 6:51 PM, David Rowley wrote: >>> On Wed, 31 Jul 2024 at 09:35, Andrew Dunstan >>> wrote: >>>> Fast forward to now. The customer has found no observable ill >>>> effects of >>>> marking these functions leakproof. The would like to know if there is >>>> any reason why we can't mark them leakproof, so that they don't >>>> have to >>>> do this in every database of every cluster they use. >>>> >>>> Thoughts? >>> According to [1], it's just not been done yet due to concerns about >>> risk to reward ratios.  Nobody mentioned any reason why it couldn't >>> be, but there were some fears that future code changes could yield new >>> failure paths. >>> >>> David >>> >>> [1]https://postgr.es/m/02BDFCCF-BDBB-4658-9717-4D95F9A91561%40thebuild.com >>> >> >> Hmm, somehow I missed that thread in searching, and clearly I'd >> forgotten it. >> >> Still, I'm not terribly convinced by arguments along the lines you're >> suggesting. "Sufficient unto the day is the evil thereof." Maybe we >> need a test to make sure we don't make changes along those lines, >> although I have no idea what such a test would look like. > > > I think I have expressed this opinion before (which was shot down), > and I will grant that it is hand-wavy, but I will give it another try. > > In my opinion, for this use case and others, it should be possible to > redact the values substituted into log messages based on some > criteria. One of those criteria could be "I am in a leakproof call > right now". In fact in a similar fashion, an extension ought to be > able to mutate the log message based on the entire string, e.g. when > "ALTER ROLE...PASSWORD..." is spotted I would like to be able to > redact everything after "PASSWORD". > > Yes it might render the error message unhelpful, but I know of users > that would accept that tradeoff in order to get better performance and > security on their production workloads. Or in some cases (e.g. > PASSWORD) just better security. > -- Andrew Dunstan EDB: https://www.enterprisedb.com