fix: do not allow relative path in DuckDB COPY statements (#827)

Vanilla PostgreSQL does not allow COPY statements with relative path as
it may lead to overriding database files and result in database
corruption. This puts the same restriction on pg_duckdb. It's important
to continue to allow COPY to URIs though.

---------

Co-authored-by: Jelte Fennema-Nio <jelte@motherduck.com>

Author: ggnmstr

src/utility/copy.cpp

@@ -235,6 +235,27 @@ StringOneOfInternal(const char *str, const char *compare_to[], int length_of_com
 	return false;
 }
 
+bool
+MatchesURIScheme(const char *str) {
+	if (str == NULL) {
+		return false;
+	}
+
+	const char *p = str;
+
+	// First character must be a letter
+	if (!isalpha(*p))
+		return false;
+	p++;
+
+	// Continue with alphanumeric
+	while (*p && (isalnum(*p)))
+		p++;
+
+	// Must be followed by ://
+	return (strncmp(p, "://", 3) == 0);
+}
+
 #define StringOneOf(str, compare_to) StringOneOfInternal(str, compare_to, lengthof(compare_to))
 
 static bool
@@ -262,6 +283,11 @@ IsAllowedStatement(CopyStmt *stmt, bool throw_error = false) {
 		return false;
 	}
 
+	if (!stmt->is_from && !is_absolute_path(stmt->filename) && !MatchesURIScheme(stmt->filename)) {
+		ereport(elevel, (errcode(ERRCODE_INVALID_NAME), errmsg("relative path not allowed for COPY to file")));
+		return false;
+	}
+
 	return true;
 }
 

test/pycheck/copy_test.py

@@ -36,6 +36,13 @@ def test_copy_to_local(cur: Cursor, tmp_path: Path):
             f"COPY test_table TO '{csv_path}' WITH (FORMAT CSV, UNKNOWN_OPTION true)"
         )
 
+    # copying to relative paths is not allowed though, in accordance with
+    # Postgres behaviour to avoid overwriting datababase file accidentally.
+    with pytest.raises(
+        psycopg.errors.InvalidName, match="relative path not allowed for COPY to file"
+    ):
+        cur.sql("COPY test_table TO 'test_copy.csv' WITH (FORMAT CSV)")
+
     # Disabling duckdb.force_execution makes the query fail with a different
     # error.
     cur.sql("SET duckdb.force_execution = false")
@@ -56,6 +63,14 @@ def test_copy_to_local(cur: Cursor, tmp_path: Path):
         (2, "Bob"),
     ]
 
+    # Again relative paths are not allowed for COPY TO, this becomes an
+    # internal error though, due to our failure to propagate error codes
+    # correctly.
+    with pytest.raises(
+        psycopg.errors.InternalError, match="relative path not allowed for COPY to file"
+    ):
+        cur.sql("COPY test_table TO 'test_copy.parquet' WITH (FORMAT PARQUET)")
+
     # We can copy the result of a DuckDB query using Postgres its COPY logic
     cur.sql(
         f"COPY (select * from duckdb.query($$ select 123 as xyz $$)) TO '{csv_path}'"

test/regression/expected/issue_789.out

@@ -1,5 +1,5 @@
 SET duckdb.force_execution = TRUE;
-COPY (SELECT 1 INTO frak UNION SELECT 2) TO 'blob';
+COPY (SELECT 1 INTO frak UNION SELECT 2) TO '/blob';
 ERROR:  COPY (SELECT INTO) is not supported
-COPY (SELECT 1 INTO frak UNION SELECT 2) TO 'blob.parquet';
+COPY (SELECT 1 INTO frak UNION SELECT 2) TO '/blob.parquet';
 ERROR:  (PGDuckDB/DuckdbUtilityHook_Cpp) Executor Error: (PGDuckDB/MakeDuckdbCopyQuery) DuckDB COPY only supports SELECT statements

test/regression/sql/issue_789.sql

@@ -1,4 +1,4 @@
 SET duckdb.force_execution = TRUE;
 
-COPY (SELECT 1 INTO frak UNION SELECT 2) TO 'blob';
-COPY (SELECT 1 INTO frak UNION SELECT 2) TO 'blob.parquet';
+COPY (SELECT 1 INTO frak UNION SELECT 2) TO '/blob';
+COPY (SELECT 1 INTO frak UNION SELECT 2) TO '/blob.parquet';