add: log error when db-schemas config contain restricted schemas

We don't allow accessing schemas "pg_catalog" and "information_schema".
Instead of silently failing requests on these schemas, this now adds
logging an error on startup when these schemas are found in `db-schemas`
config.

Signed-off-by: Taimoor Zaeem <taimoorzaeem@gmail.com>

Author: taimoorzaeem

CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. From versio
 
 ## Unreleased
 
+### Added
+
+- Log error when `db-schemas` config contains schema `pg_catalog` or `information_schema` by @taimoorzaeem in #4359
+
 ## [14.1] - 2025-11-05
 
 ## Fixed

src/PostgREST/Config.hs

@@ -274,8 +274,7 @@ parser optPath env dbSettings roleSettings roleIsolationLvl =
     <*> (fromMaybe True <$> optBool "db-prepared-statements")
     <*> (fmap toQi <$> optWithAlias (optString "db-root-spec")
                                     (optString "root-spec"))
-    <*> (fromList . maybe ["public"] splitOnCommas <$> optWithAlias (optString "db-schemas")
-                                                                    (optString "db-schema"))
+    <*> parseDbSchemas "db-schemas" "db-schema"
     <*> (fromMaybe True <$> optBool "db-config")
     <*> (fmap toQi <$> optString "db-pre-config")
     <*> parseTxEnd "db-tx-end" snd
@@ -329,6 +328,18 @@ parser optPath env dbSettings roleSettings roleIsolationLvl =
         Just asp | asp == serverPort -> fail "admin-server-port cannot be the same as server-port"
                  | otherwise         -> pure $ Just asp
 
+    parseDbSchemas :: C.Key -> C.Key -> C.Parser C.Config (NonEmpty Text)
+    parseDbSchemas k al =
+      optWithAlias (optString k) (optString al) >>= \case
+        Nothing  -> pure $ fromList ["public"]
+        Just s
+          | "pg_catalog"         `elem` schemas -> fail (errMsg "pg_catalog")
+          | "information_schema" `elem` schemas -> fail (errMsg "information_schema")
+          | otherwise -> pure $ fromList schemas
+          where
+            schemas = splitOnCommas s
+            errMsg = ("db-schemas does not allow schema: " <>)
+
     parseSocketFileMode :: C.Key -> C.Parser C.Config FileMode
     parseSocketFileMode k =
       optString k >>= \case

test/io/fixtures/fixtures.yaml

@@ -237,3 +237,7 @@ specialhostvalues:
   - '*6'
   - '!6'
   - '*'
+
+restrictedschemas:
+  - 'pg_catalog'
+  - 'information_schema'

test/io/test_cli.py

@@ -286,6 +286,16 @@ def test_jwt_secret_min_length(defaultenv):
     assert "The JWT secret must be at least 32 characters long." in error
 
 
+@pytest.mark.parametrize("restricted_schema", FIXTURES["restrictedschemas"])
+def test_restricted_db_schemas(restricted_schema, defaultenv):
+    "Should print error when db-schemas config contain pg_catalog or information_schema"
+
+    env = {**defaultenv, "PGRST_DB_SCHEMAS": restricted_schema}
+
+    error = cli(["--dump-config"], env=env, expect_error=True)
+    assert f"db-schemas does not allow schema: {restricted_schema}" in error
+
+
 # TODO: Improve readability of "--ready" healthcheck tests
 @pytest.mark.parametrize("host", ["127.0.0.1", "::1"], ids=["IPv4", "IPv6"])
 def test_cli_ready_flag_success(host, defaultenv):