feat: update supautils (#1879)

staaldraad · soedirgo · web-flow · commit 1deb6f23796c · 2025-10-30T19:08:16.000+01:00
* feat: update supautils Bumps supautils to allow disabling `copy ... program` utility * fix: set supautils.disable_program guc * Apply suggestion from @soedirgo --------- Co-authored-by: Bobbie Soedirgo <31685197+soedirgo@users.noreply.github.com>
diff --git a/ansible/files/postgresql_config/supautils.conf.j2 b/ansible/files/postgresql_config/supautils.conf.j2
@@ -13,3 +13,4 @@ supautils.privileged_role = 'postgres'
 supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'
 supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, authenticator'
 supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
+supautils.disable_program = 'true'
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.055-orioledb"
-  postgres17: "17.6.1.034"
-  postgres15: "15.14.1.034"
+  postgresorioledb-17: "17.5.1.056-orioledb"
+  postgres17: "17.6.1.035"
+  postgres15: "15.14.1.035"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0
diff --git a/nix/ext/supautils.nix b/nix/ext/supautils.nix
@@ -7,15 +7,15 @@
 
 stdenv.mkDerivation rec {
   pname = "supautils";
-  version = "3.0.0";
+  version = "3.0.2";
 
   buildInputs = [ postgresql ];
 
   src = fetchFromGitHub {
     owner = "supabase";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-EKKjNZQf7HwP/MxpHoPtbEtwXk+wO241GoXVcXpDMFs=";
+    hash = "sha256-WTLZShBFVgb18vVi15TSZvtJrNUFgQa6mBkavvRSoUE=";
   };
 
   installPhase = ''
diff --git a/nix/tests/expected/security.out b/nix/tests/expected/security.out
@@ -31,3 +31,7 @@ order by 1,2;
  vault     | update_secret
 (20 rows)
 
+-- supautils disables copy ... program
+copy (select '') to program 'id';
+ERROR:  COPY TO/FROM PROGRAM not allowed
+DETAIL:  The copy to/from program utility statement is disabled
diff --git a/nix/tests/sql/security.sql b/nix/tests/sql/security.sql
@@ -7,3 +7,6 @@ from pg_catalog.pg_proc p
 where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin')
         and p.prosecdef = true
 order by 1,2;
+
+-- supautils disables copy ... program
+copy (select '') to program 'id';
