pev2 icon indicating copy to clipboard operation
pev2 copied to clipboard

Published 20 hours ago verified publisher icon dalibo

Leak of user query

Open neissa opened this issue 4 years ago • 2 comments

You can try some random url and find some user SQL query.

https://explain.dalibo.com/plan/10 https://explain.dalibo.com/plan/20 https://explain.dalibo.com/plan/30 https://explain.dalibo.com/plan/40

a best random number with like 20 digit or password for the query could be nice

neissa avatar Feb 08 '21 17:02 neissa

I understand your point. This has already been reported in #319 by an other user. FYI, I'm using the exact same method to randomize plan ids as in depesz. I'll see what I can do though. Thanks for your feedback anyway.

pgiraud avatar Feb 09 '21 06:02 pgiraud

Hello. What about to let users to choose between:

  1. a generated guess-proof identifier (UUID or something similar),
  2. some custom identifier (if there is no collision with already existing identifiers),
  3. the current short and quite memorizable identifier (which I would personally let be the default method)?

mjf avatar Jan 04 '22 10:01 mjf

This has been reported by many users, and yet never fixed. Depesz has an option to anonymize plans, which I've always used, while Dalibo doesn't. I also never felt comfortable using Depesz unless it was absolutely necessary, but I was able to use Dalibo all of the time since it didn't share my plans with the server. Why not just make the very simple change to increase entropy?

nightpool avatar Sep 07 '22 20:09 nightpool

Entropy of plan ids has been increased on explain.dalibo.com.

pgiraud avatar Sep 19 '22 06:09 pgiraud