Plain SQL restore runs with '\restrict' option to prevent harmful psql meta-commands. #9368

[akshay-joshi]

Summary by CodeRabbit

• Bug Fixes

  • Plain SQL restore now runs with an added backend restriction to block embedded meta-commands, improving security when restoring untrusted plain-text dumps.

• Documentation

  • Restore dialog documentation updated to explain the security behavior and how plain SQL restores are handled.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Documentation adds a note about plain SQL restore using psql's \restrict option. Backend changes generate a random restrict key (via secrets.token_hex(32)), add -c \restrict <key> to psql args, and remove the has_meta_commands pre-check.

Changes

Cohort / File(s)	Change Summary
Documentation docs/en_US/restore_dialog.rst	Added explanatory note under Plain restore describing that restores run in the backend with psql's \restrict option and that a randomly generated restrict key is used to prevent execution of meta-commands from untrusted plain SQL dumps.
Restore backend implementation web/pgadmin/tools/restore/__init__.py	Imported secrets; updated get_sql_util_args to create a random restrict key via secrets.token_hex(32) and append -c \restrict <key> to SQL utility arguments; removed the has_meta_commands function and its pre-check invocation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify secrets.token_hex(32) usage and entropy/length meet project security expectations.
• Confirm -c \restrict <key> is correctly formatted/escaped for the target shell/process invocation.
• Ensure removal of has_meta_commands has no remaining references and no test coverage gaps.
• Verify documentation text matches the implemented behavior.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: implementing the '\restrict' option for plain SQL restore to prevent harmful psql meta-commands.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7e9e1e4 and 73c84c3.

📒 Files selected for processing (2)

• docs/en_US/restore_dialog.rst (1 hunks)
• web/pgadmin/tools/restore/__init__.py (3 hunks)

✅ Files skipped from review due to trivial changes (1)

• docs/en_US/restore_dialog.rst

🚧 Files skipped from review as they are similar to previous changes (1)

• web/pgadmin/tools/restore/init.py

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: run-python-tests-pg (windows-latest, 16)
• GitHub Check: run-python-tests-pg (windows-latest, 15)
• GitHub Check: run-python-tests-pg (windows-latest, 18)
• GitHub Check: run-python-tests-pg (windows-latest, 17)
• GitHub Check: run-python-tests-pg (windows-latest, 13)
• GitHub Check: run-feature-tests-pg (18)
• GitHub Check: run-feature-tests-pg (15)
• GitHub Check: run-feature-tests-pg (17)
• GitHub Check: run-feature-tests-pg (16)
• GitHub Check: run-feature-tests-pg (14)
• GitHub Check: run-feature-tests-pg (13)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

docs/en_US/restore_dialog.rst (1)

32-36: Clarify that \restrict is a psql meta-command, not an “option”.

To better match upstream terminology and avoid confusion, consider rephrasing to something like “using the psql command with the \restrict meta-command” instead of “with the \restrict option”. This keeps the explanation accurate without changing the intent.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f55fcf7 and e306cd8.

📒 Files selected for processing (5)

• docs/en_US/restore_dialog.rst (1 hunks)
• web/pgadmin/tools/backup/static/js/backup.js (0 hunks)
• web/pgadmin/tools/maintenance/static/js/maintenance.js (0 hunks)
• web/pgadmin/tools/restore/__init__.py (3 hunks)
• web/pgadmin/tools/restore/static/js/restore.js (0 hunks)

💤 Files with no reviewable changes (3)

• web/pgadmin/tools/backup/static/js/backup.js
• web/pgadmin/tools/maintenance/static/js/maintenance.js
• web/pgadmin/tools/restore/static/js/restore.js

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: run-python-tests-pg (windows-latest, 13)
• GitHub Check: run-python-tests-pg (windows-latest, 14)
• GitHub Check: run-python-tests-pg (windows-latest, 17)
• GitHub Check: run-python-tests-pg (windows-latest, 18)
• GitHub Check: run-python-tests-pg (windows-latest, 15)
• GitHub Check: run-feature-tests-pg (18)
• GitHub Check: run-feature-tests-pg (16)
• GitHub Check: run-feature-tests-pg (14)
• GitHub Check: run-feature-tests-pg (15)
• GitHub Check: run-feature-tests-pg (17)
• GitHub Check: run-feature-tests-pg (13)

🔇 Additional comments (1)

web/pgadmin/tools/restore/__init__.py (1)

14-15: The review comment references code changes that do not exist in the file. A search of web/pgadmin/tools/restore/__init__.py reveals:

• No import secrets at lines 14-15 (the file begins with imports for json, re, flask, etc.)
• No restrict_key variable or secrets.token_hex() calls anywhere in the file
• No -c '\\restrict {restrict_key}' injection in the get_sql_util_args() function (lines 350-365 show the function without any restrict-related logic)
• The grep search for "secrets", "restrict_key", and "token_hex" found zero matches in the restore module itself (though import secrets does appear in test files)

The underlying security concern about \restrict version compatibility is valid and well-reasoned in principle—CVE-2025-8714 is real, \restrict was added in PostgreSQL 13.22+, 14.19+, 15.14+, 16.10+, and 17.6+, and older psql binaries would not recognize the command. However, there is no code to review here because the described implementation does not exist in this file.

Likely an incorrect or invalid review comment.