https://github.com/jackc/pgsqlarbiter-go

https://github.com/jackc/pgsqlarbiter-go

Last synced: 14 days ago
JSON representation

• Host: GitHub
• URL: https://github.com/jackc/pgsqlarbiter-go
• Owner: jackc
• License: mit
• Created: 2026-04-04T15:22:12.000Z (2 months ago)
• Default Branch: master
• Last Pushed: 2026-04-04T15:39:40.000Z (2 months ago)
• Last Synced: 2026-05-11T16:48:45.892Z (about 1 month ago)
• Language: Go
• Size: 37.1 KB
• Stars: 2
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

README

          
# pgsqlarbiter

[![Go Reference](https://pkg.go.dev/badge/github.com/jackc/pgsqlarbiter-go.svg)](https://pkg.go.dev/github.com/jackc/pgsqlarbiter-go)

[![CI](https://github.com/jackc/pgsqlarbiter-go/actions/workflows/ci.yml/badge.svg)](https://github.com/jackc/pgsqlarbiter-go/actions/workflows/ci.yml)

pgsqlarbiter is SQL query permission system for PostgreSQL. It is designed for granting semi-trusted users access to a PostgreSQL database. PostgreSQL's permission system is a necessary foundation, but further restrictions are often required. pgsqlarbiter adds the following:

* Only single statement DML (SELECT, INSERT, UPDATE, DELETE, MERGE, or VALUES) queries are allowed.

* All referenced tables, views, and named functions must be whitelisted.

These additional restrictions close many unexpected difficult or impossible to restrict with the PostgreSQL permission system such as:

* Exposure of system information via `information_schema` or `pg_catalog`.

* Exposure of system information via `SHOW`.

* Transactions that can block other users.

* `SET` can disable restrictions such as `statement_timeout`.

* Unexpected access to dangerous built-in functions like `set_config`, `pg_sleep`, `lo_*`, `pg_advisory_lock`, and `pg_notify`.

## Installation

```

go get github.com/jackc/pgsqlarbiter-go

```

## Usage

```go

// Analyze a SQL query to extract statement type, tables, and functions.

analysis, err := pgsqlarbiter.Analyze("SELECT * FROM users WHERE id = $1")

// analysis.StatementType == pgsqlarbiter.StatementSelect

// analysis.Tables == []string{"users"}

// analysis.Functions == []string{}

// Use an Arbiter to check if a SQL query is permitted.

arbiter := &pgsqlarbiter.Arbiter{

    AllowedTables: []string{"users"},

}

allowed := arbiter.Allow("SELECT count(*) FROM users")

// Use Judge for detailed denial reasons.

verdict, err := arbiter.Judge("SELECT count(*) FROM users")

// verdict.Allowed == true

// verdict.Analysis contains the parsed analysis

// verdict.DisallowedTables, verdict.DisallowedFunctions list any violations

```

## Limitations

pgsqlarbiter is not sufficient security on its own. It is designed to be an additional layer on top of using a heavily restricted PostgreSQL user.

* pgsqlarbiter uses its own SQL parser. A potential weakness is a mismatch between the pgsqlarbiter and PostgreSQL SQL parsers.

* Operators and type casts are implemented via functions. These pass through without filtering.

* Identifiers with containing dots are rejected.

## Other Implementations

* [pgsqlarbiter-rb](https://github.com/jackc/pgsqlarbiter-rb) - Ruby