feat: add current_setting initplan advisor for rls, improve patterns

Adds the `current_setting` match for the [RLS initplan]() lint rule. Also improves the pattern matching to support different use of blanks in the RLS policy code.
supabase · Dec 6, 2024 · f7f6609 · f7f6609
1 parent 4be470c
commit f7f6609
Showing 1 changed file with 19 additions and 2 deletions.
diff --git a/lints/0003_auth_rls_initplan.sql b/lints/0003_auth_rls_initplan.sql
@@ -15,8 +15,17 @@ with policies as (
             when 'd' then 'DELETE'
             when '*' then 'ALL'
         end as command,
-        qual,
-        with_check
+        -- normalize expression's spaces
+        regexp_replace(
+            regexp_replace(
+                regexp_replace(qual, '[\n\r\t ]+', ' ', 'g'),
+            ' *\( \)', '()', 'g'),
+        ' *\. *', '.', 'g') as qual,
+        regexp_replace(
+            regexp_replace(
+                regexp_replace(with_check, '[\n\r\t ]+', ' ', 'g'),
+            ' *\( \)', '()', 'g'),
+        ' *\. *', '.', 'g') as with_check
     from
         pg_catalog.pg_policy pa
         join pg_catalog.pg_class pc
@@ -74,6 +83,10 @@ where
             qual like '%auth.email()%'
             and lower(qual) not like '%select auth.email()%'
         )
+        or (
+            qual like '%current\_setting(%)%'
+            and lower(qual) not like '%select current\_setting(%)%'
+        )
         or (
             with_check like '%auth.uid()%'
             and lower(with_check) not like '%select auth.uid()%'
@@ -90,4 +103,8 @@ where
             with_check like '%auth.email()%'
             and lower(with_check) not like '%select auth.email()%'
         )
+        or (
+            with_check like '%current\_setting(%)%'
+            and lower(with_check) not like '%select current\_setting(%)%'
+        )
     );