Re: search_path for PL/pgSQL functions partially cached? - Mailing list pgsql-general
| From | Jan Behrens |
|---|---|
| Subject | Re: search_path for PL/pgSQL functions partially cached? |
| Date | |
| Msg-id | 20250103223312.dde69ae482776e4f1b0c2258@magnetkern.de Whole thread Raw |
| In response to | Re: search_path for PL/pgSQL functions partially cached? ("David G. Johnston" <david.g.johnston@gmail.com>) |
| Responses |
Re: search_path for PL/pgSQL functions partially cached?
Re: search_path for PL/pgSQL functions partially cached? |
| List | pgsql-general |
On Fri, 3 Jan 2025 10:16:15 -0700
"David G. Johnston" <david.g.johnston@gmail.com> wrote:
> It is at risk because it depends on the session search_path. That is all.
> Whether that risk turns into a failure to execute depends on how/when it is
> executed. I'm not that comfortable talking about security risks in this
> context though the current design goal is to mitigate such security issues
> by setting things up so the function execution fails rather than is
> executed insecurely. This is presently mainly done by setting the
> search_path to just effectively pg_catalog before executing the query,
> breaking any code depending on other schemas existing in the search_path.
I'm not sure if there is a misunderstanding. In my last example (e-mail
dated Fri, 3 Jan 2025 13:53:32 +0100), the user who has control over
the contents of the "query_p" argument is an application programmer,
not a real end-user. The function is also *not* marked as SECURITY
DEFINER, so it always runs with the privileges of the caller. I don't
see any specific security risk here, except that I'm unsure if the
function is written properly with regard to qualification of the used
types after PL/pgSQL's BEGIN. As I learned, I must fully-qualify types
*before* the BEGIN, i.e. in the DECLARE section. But does this also
hold for types after the BEGIN when I previously ensure that the
search_path is correctly set (set within the function's body)?
>
> > > Anything that would be executed during pg_restore has to be made
> > > safe. Therefore, code that is only ever executed by applications
> > directly
> > > can use swarch_path.
> >
> > Why should the function be executed during pg_restore?
>
>
> If the function is used in building an index, or a materialized view, are
> the common cases. Trigger functions too.
>
> Note, this is talking about evaluating functions generally, not the one
> provided here specifically.
I don't think my function would be evaluated during a pg_restore then.
>
> > I could do that, but I would like to understand if that is really
> > necessary as it makes the interface more complicated, and I would like
> > to avoid unnecessary complexity in my interface.
> >
> > Is it really impossible to have functions without SET search_path in
> > the definition of a PL/pgSQL function if I fully-qualify all types in
> > the DECLARE section and if all other non-qualified identifiers occur
> > after set_config('search_path', ...)?
> >
> If you add a set_config to the body of the function then you indeed avoid
> the problem. It is basically equivalent to adding a SET clause to the
> create function command. In this case even when the function is executed
> in a sanitized search_path environment (such as the one established by
> pg_restore) you are not relying on it. That non-reliance is all that
> really matters.
>
> David J.
But if I use "SET search_path FROM CURRENT", then the called function
won't know the search_path that is set at the caller's side (which is
what I need to make my interface nice to use).
I would prefer my current solution, but I would like to be sure that my
example (the one in my e-mail dated Fri, 3 Jan 2025 13:53:32 +0100) is
correct. I still am not sure about that.
Kind Regards,
Jan Behrens
pgsql-general by date: