Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is the pganalyze.get_column_stats() function unsafe ? #97

Open
JordanP opened this issue Oct 23, 2020 · 1 comment
Open

Is the pganalyze.get_column_stats() function unsafe ? #97

JordanP opened this issue Oct 23, 2020 · 1 comment

Comments

@JordanP
Copy link

JordanP commented Oct 23, 2020

Hi,
I had a PG expert examine our PG installation and he mentioned that our function pganalyze.get_column_stats() could be unsafe, linking to this article https://www.cybertec-postgresql.com/en/abusing-security-definer-functions/

Is there a security risk with that function ? He recommended we ran that command to fix the issue: ALTER FUNCTION pganalyze.get_column_stats() SET search_path = pg_catalog; Would that help ? Would pganalyze still be able to function ?

@lfittl
Copy link
Member

lfittl commented Nov 1, 2020

@JordanP Thanks for reaching out on this!

Whilst it's generally a best practice to add the search_path to SECURITY DEFINER functions, in practice this shouldn't make a difference with these functions, because the referenced objects are fully qualified. We'll still review whether we can adjust the function definitions here, to include the search_path, since its a good best practice to have any way.

But to be fully clear, it's our assessment that the SECURITY DEFINER functions are safe and do not require any changes.

In case you have any details on how the current functions would be exploitable, please send us details to [email protected] - thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants