fix: harden admin view access#182
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 59724d0b05
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ) -> Router<()> { | ||
| let trusted_cidrs = Arc::new(parse_cidrs(&http_config.trusted_cidrs)); | ||
| let trusted_cidrs = Arc::new(StdRwLock::new( | ||
| parse_cidrs(&http_config.trusted_cidrs).expect("invalid trusted CIDR configuration"), |
There was a problem hiding this comment.
Using expect("invalid trusted CIDR configuration") here makes a malformed http.trusted_cidrs entry crash the process at startup (and the same pattern exists in ConfigWatcher::new), which turns a recoverable user config error into a hard availability failure. Since parse_cidrs now returns structured errors, this path should propagate that error (or fail startup gracefully) rather than panicking so operators can see a normal config-load failure.
Useful? React with 👍 / 👎.
brendanjryan
force-pushed
the
codex/admin-access-control
branch
from
8578986 to
7e49495
Compare
This PR was opened by the Changelogs release workflow. When you're ready to release, merge this PR and the packages will be published. --- ## `tidx@0.5.5` ### Patch Changes - Harden PostgreSQL SQL validation by fixing CTE scope handling, schema-qualified table checks, recursive depth accounting, LIMIT ALL rejection, and traversal of previously unchecked AST clauses. (by @brendanryan, [#179](#179)) - Validate public ClickHouse queries, block system catalogs and dangerous table functions, enforce ClickHouse request timeouts, and validate view SELECT SQL before execution. (by @brendanryan, [#180](#180)) - Bound PostgreSQL query result processing by streaming rows with a hard request limit and appending automatic LIMIT clauses on a separate line. (by @brendanryan, [#181](#181)) - Hardened view administration by failing closed for trusted CIDR checks, rejecting malformed CIDR configuration, hot-reloading active trusted CIDRs, and requiring an explicit admin mutation header. (by @brendanryan, [#182](#182)) Co-authored-by: brendanjryan <1572504+brendanjryan@users.noreply.github.com>
1 participant
Summary
Fail closed on trusted CIDR parsing and hot reload, return invalid CIDR config as startup errors instead of panicking, require an explicit admin mutation header for view writes, tighten CORS behavior, and include a changelog entry.