Security vulnerability with call to array_to_string

[ujjwalpl]

pg_partman SQL extension code calls array_to_string without specifying the namespace pg_catalog. An attacker can escalate privileges by defining own array_to_string SQL function that has arbitrary code in it when postgresql server calls the defined malicious function. We need to fix the pg_partman extension SQL definitions so that calls to array_to_strings are changed to pg_catalog.array_to_strings.

[keithf4]

Good catch. I tried to be thorough with built-in catalog calls but seems I missed some. If you find any others, please let me know!

[keithf4]

Seems I actually missed this on a lot of functions. Was pretty good when querying catalog views and tables, but missed a lot of common functions. Will work on the next update to be a patch to fix as many of these as I can find. Thank you!

A note of some relief, though, is that none of the functions are security definer. So the functions can only do things that the user themselves has privileges to do. So as it is now, there should be no worry of privilege escalation that I can see.

One big thing that you can do with pg_partman, and is the default recommended, is to install it to its own schema. Then only give specific users privileges to use the schema that partman is in. That can help further mitigate issues.

[keithf4]

PR #837 should hopefully address this and all search path related issues going forward. Thank you again for bringing this up. Made me re-evaluate how I handled search paths throughout the extension and PG functions coding going forward!

[keithf4]

If you have time to test this PR, I would appreciate it. I'm hoping to get this released in the next week or so.