-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is the pganalyze.get_column_stats()
function unsafe ?
#97
Comments
@JordanP Thanks for reaching out on this! Whilst it's generally a best practice to add the search_path to SECURITY DEFINER functions, in practice this shouldn't make a difference with these functions, because the referenced objects are fully qualified. We'll still review whether we can adjust the function definitions here, to include the search_path, since its a good best practice to have any way. But to be fully clear, it's our assessment that the SECURITY DEFINER functions are safe and do not require any changes. In case you have any details on how the current functions would be exploitable, please send us details to [email protected] - thanks! |
Hi,
I had a PG expert examine our PG installation and he mentioned that our function
pganalyze.get_column_stats()
could be unsafe, linking to this article https://www.cybertec-postgresql.com/en/abusing-security-definer-functions/Is there a security risk with that function ? He recommended we ran that command to fix the issue:
ALTER FUNCTION pganalyze.get_column_stats() SET search_path = pg_catalog;
Would that help ? Would pganalyze still be able to function ?The text was updated successfully, but these errors were encountered: