Skip to content

Fix cross-user data leak in system.asynchronous_inserts#100024

Merged
alexey-milovidov merged 1 commit intoClickHouse:masterfrom
tiandiwonder:fix_async_inserts_leak
Mar 20, 2026
Merged

Fix cross-user data leak in system.asynchronous_inserts#100024
alexey-milovidov merged 1 commit intoClickHouse:masterfrom
tiandiwonder:fix_async_inserts_leak

Conversation

@tiandiwonder
Copy link
Copy Markdown
Contributor

@tiandiwonder tiandiwonder commented Mar 19, 2026

StorageSystemAsynchronousInserts::fillData iterated over all async
insert queue entries with no user filtering, allowing any user with
SELECT ON system.asynchronous_inserts to see pending inserts belonging
to other users (query, database, table, entries.query_id, etc.).

Fix: filter queue entries in fillData so that only the current user's
own entries are returned, unless the user has the SHOW_USERS privilege
(which represents elevated visibility over user-related data).

The InsertQuery struct already carries a user_id field populated
from query_context->getUserID() at push time; this fix simply
consults it during read.

just like system.query_cache (which has an explicit design comment justifying cross-user visibility)

Changelog category (leave one):

  • Critical Bug Fix (crash, data loss, RBAC)

Changelog entry (a user-readable short description of the changes that goes into CHANGELOG.md):

...

Documentation entry for user-facing changes

  • Documentation is written (mandatory for new features)

@clickhouse-gh
Copy link
Copy Markdown
Contributor

clickhouse-gh bot commented Mar 19, 2026
edited
Loading

Workflow [PR], commit [1593829]

Summary:

@clickhouse-gh clickhouse-gh bot added pr-critical-bugfix pr-must-backport Pull request should be backported intentionally. Use this label with great care! labels Mar 19, 2026
@clickhouse-gh
Copy link
Copy Markdown
Contributor

clickhouse-gh bot commented Mar 19, 2026

LLVM Coverage Report

Metric Baseline Current Δ
Lines 83.80% 83.70% -0.10%
Functions 23.90% 23.90% +0.00%
Branches 76.30% 76.30% +0.00%

PR changed lines: PR changed-lines coverage: 92.86% (13/14, 0 noise lines excluded)
Diff coverage report
Uncovered code

alexey-milovidov
alexey-milovidov approved these changes Mar 20, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@alexey-milovidov alexey-milovidov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, the code is clear and well understandable.

@alexey-milovidov alexey-milovidov self-assigned this Mar 20, 2026
@alexey-milovidov alexey-milovidov added this pull request to the merge queue Mar 20, 2026
Merged via the queue into ClickHouse:master with commit 80f55cf Mar 20, 2026
163 checks passed
@robot-ch-test-poll robot-ch-test-poll added pr-synced-to-cloud The PR is synced to the cloud repo pr-must-backport-synced The `*-must-backport` labels are synced into the cloud Sync PR labels Mar 20, 2026
@robot-ch-test-poll3 robot-ch-test-poll3 mentioned this pull request Mar 20, 2026
Merged
robot-clickhouse added a commit that referenced this pull request Mar 20, 2026
@robot-clickhouse
Backport #100024 to 25.3: Fix cross-user data leak in `system.asynchr…
eef0dd6 
…onous_inserts`
This was referenced Mar 20, 2026
Closed
Merged
robot-clickhouse added a commit that referenced this pull request Mar 20, 2026
@robot-clickhouse
Backport #100024 to 25.8: Fix cross-user data leak in `system.asynchr…
1fe0b1d 
…onous_inserts`
This was referenced Mar 20, 2026
Merged
Merged
robot-clickhouse added a commit that referenced this pull request Mar 20, 2026
@robot-clickhouse
Backport #100024 to 25.12: Fix cross-user data leak in `system.asynch…
df0f292 
…ronous_inserts`
This was referenced Mar 20, 2026
Merged
Merged
robot-clickhouse added a commit that referenced this pull request Mar 20, 2026
@robot-clickhouse
Backport #100024 to 26.1: Fix cross-user data leak in `system.asynchr…
e04a1d8 
…onous_inserts`
This was referenced Mar 20, 2026
Merged
Merged
robot-clickhouse added a commit that referenced this pull request Mar 20, 2026
@robot-clickhouse
Backport #100024 to 26.2: Fix cross-user data leak in `system.asynchr…
9b1bb4e 
…onous_inserts`
This was referenced Mar 20, 2026
Merged
Merged
robot-clickhouse added a commit that referenced this pull request Mar 20, 2026
@robot-clickhouse
Backport #100024 to 26.3: Fix cross-user data leak in `system.asynchr…
0f51dce 
…onous_inserts`
@robot-ch-test-poll3 robot-ch-test-poll3 mentioned this pull request Mar 20, 2026
Merged
@robot-ch-test-poll4 robot-ch-test-poll4 added the pr-backports-created Backport PRs are successfully created, it won't be processed by CI script anymore label Mar 20, 2026
clickhouse-gh bot added a commit that referenced this pull request Mar 20, 2026
@clickhouse-gh
Merge pull request #100166 from ClickHouse/backport/25.12/100024
6d42447 
Backport #100024 to 25.12: Fix cross-user data leak in `system.asynchronous_inserts`
clickhouse-gh bot added a commit that referenced this pull request Mar 20, 2026
@clickhouse-gh
Merge pull request #100168 from ClickHouse/backport/26.1/100024
c03cb5a 
Backport #100024 to 26.1: Fix cross-user data leak in `system.asynchronous_inserts`
clickhouse-gh bot added a commit that referenced this pull request Mar 20, 2026
@clickhouse-gh
Merge pull request #100172 from ClickHouse/backport/26.3/100024
ac51d07 
Backport #100024 to 26.3: Fix cross-user data leak in `system.asynchronous_inserts`
clickhouse-gh bot added a commit that referenced this pull request Mar 20, 2026
@clickhouse-gh
Merge pull request #100164 from ClickHouse/backport/25.8/100024
ac0803a 
Backport #100024 to 25.8: Fix cross-user data leak in `system.asynchronous_inserts`
nikitamikhaylov added a commit that referenced this pull request Mar 31, 2026
@nikitamikhaylov
Merge pull request #100170 from ClickHouse/backport/26.2/100024
63ac8a8 
Backport #100024 to 26.2: Fix cross-user data leak in `system.asynchronous_inserts`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexey-milovidov alexey-milovidov alexey-milovidov approved these changes

Assignees

@alexey-milovidov alexey-milovidov

Labels

pr-backports-created Backport PRs are successfully created, it won't be processed by CI script anymore pr-critical-bugfix pr-must-backport Pull request should be backported intentionally. Use this label with great care! pr-must-backport-synced The `*-must-backport` labels are synced into the cloud Sync PR pr-synced-to-cloud The PR is synced to the cloud repo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tiandiwonder @alexey-milovidov @robot-ch-test-poll @robot-ch-test-poll4