external
/
pg_stat_monitor
mirror of https://github.com/percona/pg_stat_monitor.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PG-417: Replace 'CREATE OR REPLACE' with 'CREATE' for extension. 

While analyzing the pg_stat_monitor installation scripts I found several
vulnerabilities. pg_stat_monitor uses CREATE OR REPLACE to install its
functions which is a security hazard. An attacker can precreate the functions
have a superuser install the extension and after installation the attacker
can switch out the function with a malicious version since he would still
be the owner of the function. Instead of CREATE OR REPLACE the installation
script should use plain CREATE to prevent this attack.

For reference
https://www.postgresql.org/docs/current/extend-extensions.html#EXTEND-EXTENSIONS-SECURITY
https://github.com/timescale/pgspot
pull/232/head
Ibrar Ahmed 2022-05-22 03:44:32 +00:00
parent b3a2b8daf0
commit a59bca088a
3 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pg_stat_monitor--1.0.13.sql.in
View File

@ -89,7 +89,7 @@ RETURNS SETOF record
AS 'MODULE_PATHNAME', 'pg_stat_monitor'
LANGUAGE C STRICT VOLATILE PARALLEL SAFE;
CREATE OR REPLACE FUNCTION get_state(state_code int8) RETURNS TEXT AS
CREATE FUNCTION get_state(state_code int8) RETURNS TEXT AS
$$
SELECT
CASE
@ -102,7 +102,7 @@ SELECT
$$
LANGUAGE SQL PARALLEL SAFE;
CREATE or REPLACE FUNCTION get_cmd_type (cmd_type INTEGER) RETURNS TEXT AS
CREATE FUNCTION get_cmd_type (cmd_type INTEGER) RETURNS TEXT AS
$$
SELECT
CASE
@ -225,7 +225,7 @@ SELECT
$$
LANGUAGE SQL PARALLEL SAFE;
CREATE OR REPLACE FUNCTION histogram(_bucket int, _quryid text)
CREATE FUNCTION histogram(_bucket int, _quryid text)
RETURNS SETOF RECORD AS $$
DECLARE
rec record;

6
pg_stat_monitor--1.0.14.sql.in
View File

@ -89,7 +89,7 @@ RETURNS SETOF record
AS 'MODULE_PATHNAME', 'pg_stat_monitor'
LANGUAGE C STRICT VOLATILE PARALLEL SAFE;
CREATE OR REPLACE FUNCTION get_state(state_code int8) RETURNS TEXT AS
CREATE FUNCTION get_state(state_code int8) RETURNS TEXT AS
$$
SELECT
CASE
@ -102,7 +102,7 @@ SELECT
$$
LANGUAGE SQL PARALLEL SAFE;
CREATE or REPLACE FUNCTION get_cmd_type (cmd_type INTEGER) RETURNS TEXT AS
CREATE FUNCTION get_cmd_type (cmd_type INTEGER) RETURNS TEXT AS
$$
SELECT
CASE
@ -226,7 +226,7 @@ SELECT
$$
LANGUAGE SQL PARALLEL SAFE;
CREATE OR REPLACE FUNCTION histogram(_bucket int, _quryid text)
CREATE FUNCTION histogram(_bucket int, _quryid text)
RETURNS SETOF RECORD AS $$
DECLARE
rec record;

6
pg_stat_monitor--1.0.sql.in
View File

@ -86,7 +86,7 @@ RETURNS SETOF record
AS 'MODULE_PATHNAME', 'pg_stat_monitor'
LANGUAGE C STRICT VOLATILE PARALLEL SAFE;
CREATE OR REPLACE FUNCTION get_state(state_code int8) RETURNS TEXT AS
CREATE FUNCTION get_state(state_code int8) RETURNS TEXT AS
$$
SELECT
CASE
@ -99,7 +99,7 @@ SELECT
$$
LANGUAGE SQL PARALLEL SAFE;
CREATE or REPLACE FUNCTION get_cmd_type (cmd_type INTEGER) RETURNS TEXT AS
CREATE FUNCTION get_cmd_type (cmd_type INTEGER) RETURNS TEXT AS
$$
SELECT
CASE
@ -212,7 +212,7 @@ SELECT
$$
LANGUAGE SQL PARALLEL SAFE;
CREATE OR REPLACE FUNCTION histogram(_bucket int, _quryid text)
CREATE FUNCTION histogram(_bucket int, _quryid text)
RETURNS SETOF RECORD AS $$
DECLARE
rec record;