fix: sql guard gaps, date tz, timeouts, payload
This commit is contained in:
smartass
@@ -65,6 +65,10 @@ rejected (the schemas are strict).
|
||||
| `readonly` | boolean | defaults to `false`; see Readonly mode below |
|
||||
| `ssh` | object | optional SSH tunnel (see below) |
|
||||
|
||||
For PostgreSQL, a connection without a `database` falls back to the conventional
|
||||
`postgres` maintenance database for `list_databases` and `test_connection`. On
|
||||
servers that lack it, set `database` explicitly.
|
||||
|
||||
The `ssh` object accepts:
|
||||
|
||||
| Field | Type | Notes |
|
||||
@@ -135,6 +139,11 @@ blocked by the SQL guard. For a hard guarantee in untrusted contexts, still
|
||||
connect with a read-only database user — readonly mode is defence in depth, not
|
||||
a substitute for database permissions.
|
||||
|
||||
The PostgreSQL mechanism is a libpq startup option, which PgBouncer in
|
||||
transaction or statement pooling mode does **not** forward to the server. Behind
|
||||
such a pooler the readonly flag is silently ineffective; use a read-only
|
||||
database user there instead.
|
||||
|
||||
## Security notes
|
||||
|
||||
- The store is a plaintext JSON file written with `0600` permissions. The trust
|
||||
|
||||
Reference in New Issue
Block a user