Is the pganalyze.get_column_stats() function unsafe ?

[JordanP]

Hi,
I had a PG expert examine our PG installation and he mentioned that our function pganalyze.get_column_stats() could be unsafe, linking to this article https://www.cybertec-postgresql.com/en/abusing-security-definer-functions/

Is there a security risk with that function ? He recommended we ran that command to fix the issue: ALTER FUNCTION pganalyze.get_column_stats() SET search_path = pg_catalog; Would that help ? Would pganalyze still be able to function ?

[lfittl]

@JordanP Thanks for reaching out on this!

Whilst it's generally a best practice to add the search_path to SECURITY DEFINER functions, in practice this shouldn't make a difference with these functions, because the referenced objects are fully qualified. We'll still review whether we can adjust the function definitions here, to include the search_path, since its a good best practice to have any way.

But to be fully clear, it's our assessment that the SECURITY DEFINER functions are safe and do not require any changes.

In case you have any details on how the current functions would be exploitable, please send us details to [email protected] - thanks!