Skip to content

Instantly share code, notes, and snippets.

View galiminus's full-sized avatar
🏠
Working from home

Victor galiminus

🏠
Working from home
62 followers · 80 following
View GitHub Profile
@jmealo
jmealo / rls-security-multi-tennant.md
Last active January 20, 2025 12:25
How to safely allow arbitrary SQL queries in multi-tenant web applications

Can we use PostrgreSQL's row-level-security to enable arbitrary query execution security in secure multi-tenant web applications?

Can we break out and access another tenants information?

No, this is handled using schemas, ownership and roles (users). Using RLS does not impact leaking data between tenants. This allows us to give out SQL accounts that can run arbitrary queries without leaking data between tenants.

How can we protect against role or privileges escalation within a tenant?

Consider an application that has 3 user types (roles):

@zdk
zdk / version.rake
Last active June 10, 2024 07:46
Rake task for Git based Rails app semantic versioning.
#gem 'colorize'
module Version
VERSION_FILE = "#{Rails.root}/config/initializers/version.rb"
PATTERN = /(\d+)\.(\d+)\.(\d+)-(.*)/
PATTERN_NOMETA = /(\d+\.\d+\.\d+)/
@@major = 0; @@minor = 0; @@patch = 0; @@build = 'a'
@@version_rb = File.read(VERSION_FILE)
def self.version_rb