From c1e5a93f6f44c71c5caf5c628d5316f6da3c93b0 Mon Sep 17 00:00:00 2001
From: Andrey Borodin <amborodin@acm.org>
Date: Tue, 28 Apr 2026 11:41:55 +0300
Subject: [PATCH] security: revoke PUBLIC execute on clickhouse_raw_query

clickhouse_raw_query(sql, connstring) lets the caller specify an
arbitrary host in the connection string. With the function executable
by PUBLIC any database user could reach internal services such as cloud
metadata endpoints (169.254.169.254), private APIs, or other hosts on
the server network directly from the PostgreSQL process (SSRF).

Revoke PUBLIC execute. Administrators who need ad-hoc raw access
should grant the function explicitly to a trusted role.
---
 sql/pg_clickhouse.sql | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sql/pg_clickhouse.sql b/sql/pg_clickhouse.sql
index 4daa19b8..478347a8 100644
--- a/sql/pg_clickhouse.sql
+++ b/sql/pg_clickhouse.sql
@@ -17,6 +17,14 @@ RETURNS TEXT
 AS 'MODULE_PATHNAME'
 LANGUAGE C STRICT;
 
+-- clickhouse_raw_query accepts an arbitrary connection string, including
+-- any host the caller chooses.  Leaving it executable by PUBLIC would
+-- allow any database user to reach internal services (metadata endpoints,
+-- private APIs, etc.) from the PostgreSQL server — a classic SSRF vector.
+-- Grant it back only to roles that legitimately need ad-hoc ClickHouse
+-- access (e.g. a dedicated clickhouse_admin role).
+REVOKE EXECUTE ON FUNCTION clickhouse_raw_query(text, text) FROM PUBLIC;
+
 CREATE FUNCTION clickhouse_fdw_validator(text[], oid)
 RETURNS VOID
 AS 'MODULE_PATHNAME'