Observation on patch v20260113-0001: GRAPH_TABLE queries are bypassing
Row-Level Security checks. A low_priv_user is able to access sensitive
data across the entire table, even though the RLS policy should
restrict the result set to one non-sensitive row.
reproducible case:-
CREATE TABLE parent_node (id int PRIMARY KEY, secret text);
CREATE TABLE child_node () INHERITS (parent_node);
INSERT INTO child_node VALUES (1, 'Sensitive');
INSERT INTO child_node VALUES (2, 'not Sensitive');
CREATE ROLE low_priv_user;
GRANT SELECT ON parent_node TO low_priv_user;
GRANT SELECT ON child_node TO low_priv_user;
ALTER TABLE child_node ENABLE ROW LEVEL SECURITY;
-- Policy: user cannot see rows where secret contains 'Sensitive'
CREATE POLICY p_hide_sensitive ON child_node TO low_priv_user USING
(secret !~ 'Sensitive');
CREATE PROPERTY GRAPH security_graph VERTEX TABLES (parent_node);
GRANT SELECT ON PROPERTY GRAPH security_graph TO low_priv_user;
-- TEST: As low_priv_user, this query should return 0 rows.
SET ROLE low_priv_user;
postgres=> SELECT * FROM GRAPH_TABLE (security_graph MATCH (n) COLUMNS
(n.secret));
secret
---------------
Sensitive
not Sensitive
(2 rows)
Thanks
Ajay
On Tue, Jan 13, 2026 at 9:44 PM Ashutosh Bapat
<[email protected]> wrote:
>
> On Tue, Jan 13, 2026 at 3:53 PM Peter Eisentraut <[email protected]> wrote:
> >
> > I have a small fixup patch for your 20260102 patches, attached.
> >
> > - needs additional #include because of recent changes elsewhere
> > - copyright year updates
> > - various typos
> > - some style changes related to palloc APIs
>
> All changes look good.
>
> Looks like you have reviewed patches 0002-onwards. I removed 0004
> which was erroneously removing the | handling from ecpg lexer as you
> pointed out earlier. Squashed all other patches along with your small
> fixup patch. Attached is the resultant single patch.
>
> --
> Best Wishes,
> Ashutosh Bapat
