MIME-Version: 1.0
References: <20241227205025.1d059f72c7c08d23c9648c26@magnetkern.de>
 <CAKFQuwb4hgHH=Z6cx5Hh_qc10TCYMb1QVfP3099X1Psmyw0r3Q@mail.gmail.com>
 <20241228004009.267f21b78394c934f27f9974@magnetkern.de> <20250101185504.3d50c571c3448512e94288e8@magnetkern.de>
 <CAKFQuwZ1G5p+nAqS4OCQ37duyqPkf8oNNEJ2p6HwDb0RzGzBTg@mail.gmail.com> <20250102113727.1574b14fd677d164c32160bc@magnetkern.de>
In-Reply-To: <20250102113727.1574b14fd677d164c32160bc@magnetkern.de>
From: Pavel Stehule <pavel.stehule@gmail.com>
Date: Thu, 2 Jan 2025 12:40:59 +0100
Message-ID: <CAFj8pRCb1aRzB4MmPX-X5BNF6-JgKMfDeirgnYNL-_gbCOqp8w@mail.gmail.com>
Subject: Re: search_path for PL/pgSQL functions partially cached?
To: Jan Behrens <jbe-mlist@magnetkern.de>
Cc: "David G. Johnston" <david.g.johnston@gmail.com>, 
	"pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000fc9baa062ab7a426"
Archived-At: <https://www.postgresql.org/message-id/CAFj8pRCb1aRzB4MmPX-X5BNF6-JgKMfDeirgnYNL-_gbCOqp8w%40mail.gmail.com>
Precedence: bulk

--000000000000fc9baa062ab7a426
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi

=C4=8Dt 2. 1. 2025 v 11:37 odes=C3=ADlatel Jan Behrens <jbe-mlist@magnetker=
n.de>
napsal:

> On Wed, 1 Jan 2025 11:19:32 -0700
> "David G. Johnston" <david.g.johnston@gmail.com> wrote:
>
> > On Wed, Jan 1, 2025 at 10:55=E2=80=AFAM Jan Behrens <jbe-mlist@magnetke=
rn.de>
> wrote:
> >
> > > On Sat, 28 Dec 2024 00:40:09 +0100
> > > Jan Behrens <jbe-mlist@magnetkern.de> wrote:
> > >
> > > > On Fri, 27 Dec 2024 13:26:28 -0700
> > > > "David G. Johnston" <david.g.johnston@gmail.com> wrote:
> > > >
> > > > > > Or is it documented somewhere?
> > > > >
> > > > >
> > >
> https://www.postgresql.org/docs/current/plpgsql-implementation.html#PLPGS=
QL-PLAN-CACHING
> > > >
> > > > I can't find any notes regarding functions and schemas in that
> section.
> > >
> > >
> > "Because PL/pgSQL saves prepared statements and sometimes execution pla=
ns
> > in this way, SQL commands that appear directly in a PL/pgSQL function
> must
> > refer to the same tables and columns on every execution; that is, you
> > cannot use a parameter as the name of a table or column in an SQL
> command."
> >
> > Changing search_path is just one possible way to change out which objec=
t
> a
> > name tries to refer to so it is not called out explicitly.
>
> The first part of the cited sentence seems helpful ("you must always
> refer to the same tables and columns on every execution"). I would thus
> conclude that using a dynamic search_path when running functions or
> procedures is *always* considered errorneous (even though not reported
> by the database as an error), except when using EXECUTE.
>
> I wonder if the database could/should generate an error (or at least a
> warning?) when a function or procedure without a "SET search_path"
> statement uses a non-qualified name? According to the documentation
> using a dynamic search_path to refer to different entities in the
> database is a case that "must" not happen.
>
> But following through, this might lead to more warnings one might
> expect, e.g. when using simple operators such as "=3D" or the "IN" or
> "CASE expression WHEN" statements, as these rely on the search_path as
> well. Should such code be considered non-idiomatic, dangerous, or even
> errorneous if a "SET search_path" option is missing in the
> function's/procedure's definition?
>
> Maybe I'm overthinking this. But in practice, I've been running into
> surprising issues whenever functions and schemas are involved, and I'm
> not sure if every programmer will be aware of how important it is to
> properly set a search_path in the function's defintion after reading
> the documentation. (Besides, it's not always possible in procedures.)
>

How can you identify unwanted usage of non qualified identifiers from
wanted usage of non qualified identifiers? It is a common pattern for
sharding. Using not qualified identifiers of operators, functions is common
when you are using orafce extensions, etc.

Using qualified identifiers everywhere strongly reduces readability. There
are no aliases to the schema, so aliases cannot help.

you can identify the functions where search_path is not explicitly assigned

select oid::regprocedure
  from pg_proc
where pronamespace::regnamespace not in ('pg_catalog',
'information_schema')
   and not exists(select 1 from unnest(proconfig) g(v) where  v ~
'^search_path');


Regards

Pavel


> >
> > > "SQL-language and PL-language functions provided by extensions are at
> > > risk of search-path-based attacks when they are executed, since parsi=
ng
> > > of these functions occurs at execution time not creation time."
> >
> > > Moreover, it isn't true for all
> > > SQL-language functions, as can be demonstrated with the following cod=
e:
> >
> > Yeah, when we added a second method to write an SQL-language function,
> one
> > that doesn't simply accept a string body, we didn't update that section
> to
> > point out that is the string input variant of create function that is
> > affected in this manner, the non-string (atomic) variant stores the
> result
> > of parsing the inline code as opposed to storing the raw text.
> >
> > David J.
>
> I missed that other part in the manual (which is in a totally different
> section). Should I report the missing update in section 36.17.6.1. of
> the documentation as a documentation issue, or is it not necessary?
>
> Kind regards,
> Jan Behrens
>
>
>

--000000000000fc9baa062ab7a426
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi<br></div><br><div class=3D"gmail_quote gmail_quote=
_container"><div dir=3D"ltr" class=3D"gmail_attr">=C4=8Dt 2. 1. 2025 v=C2=
=A011:37 odes=C3=ADlatel Jan Behrens &lt;<a href=3D"mailto:jbe-mlist@magnet=
kern.de">jbe-mlist@magnetkern.de</a>&gt; napsal:<br></div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex">On Wed, 1 Jan 2025 11:19:32 -0700<br>
&quot;David G. Johnston&quot; &lt;<a href=3D"mailto:david.g.johnston@gmail.=
com" target=3D"_blank">david.g.johnston@gmail.com</a>&gt; wrote:<br>
<br>
&gt; On Wed, Jan 1, 2025 at 10:55=E2=80=AFAM Jan Behrens &lt;<a href=3D"mai=
lto:jbe-mlist@magnetkern.de" target=3D"_blank">jbe-mlist@magnetkern.de</a>&=
gt; wrote:<br>
&gt; <br>
&gt; &gt; On Sat, 28 Dec 2024 00:40:09 +0100<br>
&gt; &gt; Jan Behrens &lt;<a href=3D"mailto:jbe-mlist@magnetkern.de" target=
=3D"_blank">jbe-mlist@magnetkern.de</a>&gt; wrote:<br>
&gt; &gt;<br>
&gt; &gt; &gt; On Fri, 27 Dec 2024 13:26:28 -0700<br>
&gt; &gt; &gt; &quot;David G. Johnston&quot; &lt;<a href=3D"mailto:david.g.=
johnston@gmail.com" target=3D"_blank">david.g.johnston@gmail.com</a>&gt; wr=
ote:<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; &gt; Or is it documented somewhere?<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt;<br>
&gt; &gt; <a href=3D"https://www.postgresql.org/docs/current/plpgsql-implem=
entation.html#PLPGSQL-PLAN-CACHING" rel=3D"noreferrer" target=3D"_blank">ht=
tps://www.postgresql.org/docs/current/plpgsql-implementation.html#PLPGSQL-P=
LAN-CACHING</a><br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; I can&#39;t find any notes regarding functions and schemas i=
n that section.<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &quot;Because PL/pgSQL saves prepared statements and sometimes executi=
on plans<br>
&gt; in this way, SQL commands that appear directly in a PL/pgSQL function =
must<br>
&gt; refer to the same tables and columns on every execution; that is, you<=
br>
&gt; cannot use a parameter as the name of a table or column in an SQL comm=
and.&quot;<br>
&gt; <br>
&gt; Changing search_path is just one possible way to change out which obje=
ct a<br>
&gt; name tries to refer to so it is not called out explicitly.<br>
<br>
The first part of the cited sentence seems helpful (&quot;you must always<b=
r>
refer to the same tables and columns on every execution&quot;). I would thu=
s<br>
conclude that using a dynamic search_path when running functions or<br>
procedures is *always* considered errorneous (even though not reported<br>
by the database as an error), except when using EXECUTE.<br>
<br>
I wonder if the database could/should generate an error (or at least a<br>
warning?) when a function or procedure without a &quot;SET search_path&quot=
;<br>
statement uses a non-qualified name? According to the documentation<br>
using a dynamic search_path to refer to different entities in the<br>
database is a case that &quot;must&quot; not happen.<br>
<br>
But following through, this might lead to more warnings one might<br>
expect, e.g. when using simple operators such as &quot;=3D&quot; or the &qu=
ot;IN&quot; or<br>
&quot;CASE expression WHEN&quot; statements, as these rely on the search_pa=
th as<br>
well. Should such code be considered non-idiomatic, dangerous, or even<br>
errorneous if a &quot;SET search_path&quot; option is missing in the<br>
function&#39;s/procedure&#39;s definition?<br>
<br>
Maybe I&#39;m overthinking this. But in practice, I&#39;ve been running int=
o<br>
surprising issues whenever functions and schemas are involved, and I&#39;m<=
br>
not sure if every programmer will be aware of how important it is to<br>
properly set a search_path in the function&#39;s defintion after reading<br=
>
the documentation. (Besides, it&#39;s not always possible in procedures.)<b=
r></blockquote><div><br></div><div>How can you identify unwanted usage of n=
on qualified identifiers from wanted usage of non qualified identifiers? It=
 is a common pattern for sharding. Using not qualified identifiers of opera=
tors, functions is common when you are using orafce extensions, etc.<br></d=
iv><div><br></div><div>Using qualified identifiers everywhere strongly redu=
ces readability. There are no aliases to the schema, so aliases cannot help=
.</div><div><br></div><div>you can identify the functions where search_path=
 is not explicitly assigned</div><div><br></div><div>select oid::regprocedu=
re=C2=A0</div><div>=C2=A0 from pg_proc=C2=A0</div><div>where pronamespace::=
regnamespace not in (&#39;pg_catalog&#39;, &#39;information_schema&#39;)=C2=
=A0</div><div>=C2=A0=C2=A0 and not exists(select 1 from unnest(proconfig) g=
(v) where =C2=A0v ~ &#39;^search_path&#39;);</div><div><br></div><div><br><=
/div><div>Regards</div><div><br></div><div>Pavel<br></div><div><br></div><b=
lockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-le=
ft:1px solid rgb(204,204,204);padding-left:1ex">
<br>
&gt; <br>
&gt; &gt; &quot;SQL-language and PL-language functions provided by extensio=
ns are at<br>
&gt; &gt; risk of search-path-based attacks when they are executed, since p=
arsing<br>
&gt; &gt; of these functions occurs at execution time not creation time.&qu=
ot;<br>
&gt; <br>
&gt; &gt; Moreover, it isn&#39;t true for all<br>
&gt; &gt; SQL-language functions, as can be demonstrated with the following=
 code:<br>
&gt; <br>
&gt; Yeah, when we added a second method to write an SQL-language function,=
 one<br>
&gt; that doesn&#39;t simply accept a string body, we didn&#39;t update tha=
t section to<br>
&gt; point out that is the string input variant of create function that is<=
br>
&gt; affected in this manner, the non-string (atomic) variant stores the re=
sult<br>
&gt; of parsing the inline code as opposed to storing the raw text.<br>
&gt; <br>
&gt; David J.<br>
<br>
I missed that other part in the manual (which is in a totally different<br>
section). Should I report the missing update in section 36.17.6.1. of<br>
the documentation as a documentation issue, or is it not necessary?<br>
<br>
Kind regards,<br>
Jan Behrens<br>
<br>
<br>
</blockquote></div></div>

--000000000000fc9baa062ab7a426--