/rpc/functions callable from web_anon (security issue?)

[phpwutz]

Environment

• PostgreSQL version: 13 (docker)
• PostgREST version: 7.0.1 (aka latest) (docker)
• Operating system: arch linux

Description of issue

Expected behavior

The route GET /rpc/uuid_generate_v4 should not be callable by an anonymous user.

Actual behavior

The route GET /rpc/uuid_generate_v4 can be called by an anonymous user and delivers a generated UUID.
Also other user defined functions can be called as well.
All regular table endpoints etc. are hidden and not callable, so that's working correctly.

Setup

I did a setup following the documentation, one user "authenticator" that can switch to "web_anon". web_anon has no permissions whatsoever.

docker envs for postgrest:
PGRST_DB_URI: postgres://authenticator:***@db:5432/app_db
PGRST_DB_SCHEMA: public
PGRST_DB_ANON_ROLE: web_anon

I also enabled the uuid-ossp extension in postgres.

[wolfgangwalther]

This is a postgres permissions thing. Any endpoint that the anonymous user has privileges for will be accessible. The public schema is accessible by any postgres user by default - and any function in that schema will be callable for the anonymous user.

Here are some guidelines for how to prevent that:

• Do not use the public schema as db-schema. Use another schema specifically created for it, e.g. api.
• Do not install extensions into the exposed schema. If you switch to db-schema=api, you can install those extensions into public. This will prevent the exposure of many of the functions of that extension as RPCs.
• Add db-extra-search-path=public to be able to access those extensions without prefix from your functions.

Alternatively you can just revoke privileges from the public schema.

[phpwutz]

Thanks a lot for the helpful advice!
Creating a separate api schema did the trick