Merge remote-tracking branch 'origin' into INDATA-152

hunleyd · hunleyd · commit cae0c5ea8339 · 2025-10-30T14:45:44.000-04:00
* origin: feat: update supautils (#1879)
diff --git a/ansible/files/postgresql_config/conf.d/supautils.conf b/ansible/files/postgresql_config/conf.d/supautils.conf
@@ -1,5 +1,7 @@
 session_preload_libraries = 'supautils'
 
+supautils.disable_program = 'true'
+
 supautils.drop_trigger_grants = '{"postgres":["auth.audit_log_entries","auth.flow_state","auth.identities","auth.instances","auth.mfa_amr_claims","auth.mfa_challenges","auth.mfa_factors","auth.oauth_clients","auth.one_time_tokens","auth.refresh_tokens","auth.saml_providers","auth.saml_relay_states","auth.sessions","auth.sso_domains","auth.sso_providers","auth.users","realtime.messages","realtime.subscription","storage.buckets","storage.buckets_analytics","storage.objects","storage.prefixes","storage.s3_multipart_uploads","storage.s3_multipart_uploads_parts"]}'
 
 supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
@@ -28,5 +30,3 @@ supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log
 supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, authenticator'
 
 supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
-
-
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.055-orioledb"
-  postgres17: "17.6.1.034"
-  postgres15: "15.14.1.034"
+  postgresorioledb-17: "17.5.1.056-orioledb"
+  postgres17: "17.6.1.035"
+  postgres15: "15.14.1.035"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0
diff --git a/nix/ext/supautils.nix b/nix/ext/supautils.nix
@@ -7,15 +7,15 @@
 
 stdenv.mkDerivation rec {
   pname = "supautils";
-  version = "3.0.0";
+  version = "3.0.2";
 
   buildInputs = [ postgresql ];
 
   src = fetchFromGitHub {
     owner = "supabase";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-EKKjNZQf7HwP/MxpHoPtbEtwXk+wO241GoXVcXpDMFs=";
+    hash = "sha256-WTLZShBFVgb18vVi15TSZvtJrNUFgQa6mBkavvRSoUE=";
   };
 
   installPhase = ''
diff --git a/nix/tests/expected/security.out b/nix/tests/expected/security.out
@@ -31,3 +31,7 @@ order by 1,2;
  vault      | update_secret
 (20 rows)
 
+-- supautils disables copy ... program
+copy (select '') to program 'id';
+ERROR:  COPY TO/FROM PROGRAM not allowed
+DETAIL:  The copy to/from program utility statement is disabled
diff --git a/nix/tests/sql/security.sql b/nix/tests/sql/security.sql
@@ -7,3 +7,6 @@ from pg_catalog.pg_proc p
 where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin')
         and p.prosecdef = true
 order by 1,2;
+
+-- supautils disables copy ... program
+copy (select '') to program 'id';
