GHSA-27vq-hv74-7cqp
SurrealDB has Silent Failure to Overwrite Table Definition of Relation Type
Details
The `OVERWRITE` clause of the `DEFINE TABLE` statement would fail to overwrite data for tables that were defined with `TYPE RELATION`. Since table definitions include the `PERMISSIONS` clause, this failure would result in permissions not being overwritten as a result, which may potentially lead users to believe they have changed the table permissions when they have not.
### Impact
If a user attempted to update table permissions of a table defined with `TYPE RELATION` using `DEFINE TABLE ... OVERWRITE`, permissions for the table would not be changed. This may allow a client that is authorized to run queries in a SurrealDB server to access certain data in that specific table that they were not intended to be able to access after the specified change in permissions.
### Patches
The `DEFINE TABLE` statement has been updated to appropriately overwrite data for tables defined with `TYPE RELATION`.
- Version 2.1.4 and later are not affected by this issue.
### Workarounds
Users of tables with `TYPE RELATION` that may have been modified using the `OVERWRITE` clause in order to update permissions are advised to verify that the intended permissions are in place using the `INFO FOR DB` statement. Affected users who are unable to update and require updating permissions in a table with `TYPE RELATION` will be required to remove the table and define it from scratch with the intended permissions. Data can be preserved by backing it up to a temporary table.
### References
- #5260
Are you affected?
Enter the version of the package you're using.
Affected packages
2.0.0 Fixed in: 2.1.4 Upgrade surrealdb to 2.1.4 or newer (ecosystem crates.io).
2.0.0 Fixed in: 2.1.4 Upgrade surrealdb-core to 2.1.4 or newer (ecosystem crates.io).