A LIVE query whose WHERE clause evaluates to an error caused the source data modifier (the user creating, updating, or deleting a record on the watched table) to fail instead. Calling any arbitrary SurrealQL function with a typed parameter and passing a value of the wrong type — for example LIVE SELECT * FROM t WHERE string::trim(deny) — triggered an evaluation error inside the LIVE notification path. That error then propagated through to the triggering write, rolling back the attempted change.
While such a LIVE query was registered, all CREATE, UPDATE, and DELETE operations on the watched table failed — including those issued by a root user — for as long as the registration remained active. Registering the LIVE required select permission on the table; no other permission on the table was needed.
Impact
An authenticated user with select permission on a table can prevent all CREATE, UPDATE, and DELETE operations on that table — by any other user, up to and including root — for the lifetime of a single registered LIVE query. Service is restored when the LIVE query is killed or the session that registered it ends.
Patches
A patch has been introduced that:
- Decouples LIVE query evaluation errors from the source transaction — when
lq_check returns an error during the LIVE notification path, the error is now reported to the LIVE subscriber as an Action::Error notification and the LIVE processing path returns Ok(()). The triggering write proceeds normally.
- Defers the error notification until after the permission check — the
Action::Error notification is only delivered after the LIVE subscription's PERMISSIONS clause has been evaluated, so unauthorised subscribers do not learn even that an error occurred (closing an information-disclosure side channel introduced by the first part of the fix).
- Versions 3.1.0 and later are not affected by this issue.
Workarounds
Users unable to upgrade should restrict the ability of untrusted users to register LIVE queries by removing the select permission on tables they want to keep writeable, or by gating LIVE registration at the application layer.
References
A
LIVEquery whoseWHEREclause evaluates to an error caused the source data modifier (the user creating, updating, or deleting a record on the watched table) to fail instead. Calling any arbitrary SurrealQL function with a typed parameter and passing a value of the wrong type — for exampleLIVE SELECT * FROM t WHERE string::trim(deny)— triggered an evaluation error inside the LIVE notification path. That error then propagated through to the triggering write, rolling back the attempted change.While such a
LIVEquery was registered, allCREATE,UPDATE, andDELETEoperations on the watched table failed — including those issued by a root user — for as long as the registration remained active. Registering theLIVErequiredselectpermission on the table; no other permission on the table was needed.Impact
An authenticated user with
selectpermission on a table can prevent allCREATE,UPDATE, andDELETEoperations on that table — by any other user, up to and including root — for the lifetime of a single registeredLIVEquery. Service is restored when theLIVEquery is killed or the session that registered it ends.Patches
A patch has been introduced that:
lq_checkreturns an error during the LIVE notification path, the error is now reported to the LIVE subscriber as anAction::Errornotification and the LIVE processing path returnsOk(()). The triggering write proceeds normally.Action::Errornotification is only delivered after the LIVE subscription'sPERMISSIONSclause has been evaluated, so unauthorised subscribers do not learn even that an error occurred (closing an information-disclosure side channel introduced by the first part of the fix).Workarounds
Users unable to upgrade should restrict the ability of untrusted users to register
LIVEqueries by removing theselectpermission on tables they want to keep writeable, or by gating LIVE registration at the application layer.References