VDB
KO
LOW

GHSA-27vq-hv74-7cqp

SurrealDB has Silent Failure to Overwrite Table Definition of Relation Type

Details

The `OVERWRITE` clause of the `DEFINE TABLE` statement would fail to overwrite data for tables that were defined with `TYPE RELATION`. Since table definitions include the `PERMISSIONS` clause, this failure would result in permissions not being overwritten as a result, which may potentially lead users to believe they have changed the table permissions when they have not.

### Impact

If a user attempted to update table permissions of a table defined with `TYPE RELATION` using `DEFINE TABLE ... OVERWRITE`, permissions for the table would not be changed. This may allow a client that is authorized to run queries in a SurrealDB server to access certain data in that specific table that they were not intended to be able to access after the specified change in permissions.

### Patches

The `DEFINE TABLE` statement has been updated to appropriately overwrite data for tables defined with `TYPE RELATION`.

- Version 2.1.4 and later are not affected by this issue.

### Workarounds

Users of tables with `TYPE RELATION` that may have been modified using the `OVERWRITE` clause in order to update permissions are advised to verify that the intended permissions are in place using the `INFO FOR DB` statement. Affected users who are unable to update and require updating permissions in a table with `TYPE RELATION` will be required to remove the table and define it from scratch with the intended permissions. Data can be preserved by backing it up to a temporary table.

### References

- #5260

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / surrealdb
Introduced in: 2.0.0 Fixed in: 2.1.4

Upgrade surrealdb to 2.1.4 or newer (ecosystem crates.io).

crates.io / surrealdb-core
Introduced in: 2.0.0 Fixed in: 2.1.4

Upgrade surrealdb-core to 2.1.4 or newer (ecosystem crates.io).

References