Unnecessary privileges to use trigger functions

Goal	A user that corresponds to an application does not have to have privileges to use trigger functions. If it has these, then it violates the principle of least privilege.
Type	Problem detection (Each row in the result could represent a flaw in the design)
Reliability	High (Few or no false-positive results)
License	MIT License
Fixing Suggestion	Revoke unnecessary privileges.
Data Source	INFORMATION_SCHEMA+system catalog
SQL Query	WITH privs AS (SELECT rp.routine_schema, rp.routine_name, pg_get_function_identity_arguments(translate(substring(rp.specific_name,'_[0-9]+$'),'_','')::int::oid) AS parameters, rp.grantee, rp.privilege_type, rp.is_grantable FROM information_schema.routine_privileges AS rp, information_schema.routines AS r WHERE rp.routine_schema NOT IN (SELECT schema_name FROM INFORMATION_SCHEMA.schemata WHERE schema_name<>'public' AND schema_owner='postgres' AND schema_name IS NOT NULL) AND rp.routine_schema=r.routine_schema AND rp.specific_name=r.specific_name AND r.data_type='trigger' AND grantee<>'PUBLIC' AND NOT EXISTS (SELECT 1 FROM pg_catalog.pg_roles r WHERE rolsuper=TRUE AND rp.grantee=r.rolname)) SELECT routine_schema, routine_name, parameters, grantee, privilege_type FROM privs ORDER BY routine_schema, routine_name, parameters, privilege_type;

SQL statements that help generate fixes for the identified problem.

SQL Query to Generate Fix Description

SQL Query to Generate Fix	Description
WITH privs AS (SELECT rp.routine_schema, rp.routine_name, pg_get_function_identity_arguments(translate(substring(rp.specific_name,'_[0-9]+$'),'_','')::int::oid) AS parameters, rp.grantee, rp.privilege_type, rp.is_grantable FROM information_schema.routine_privileges AS rp, information_schema.routines AS r WHERE rp.routine_schema NOT IN (SELECT schema_name FROM INFORMATION_SCHEMA.schemata WHERE schema_name<>'public' AND schema_owner='postgres' AND schema_name IS NOT NULL) AND rp.routine_schema=r.routine_schema AND rp.specific_name=r.specific_name AND r.data_type='trigger' AND grantee<>'PUBLIC' AND NOT EXISTS (SELECT 1 FROM pg_catalog.pg_roles r WHERE rolsuper=TRUE AND rp.grantee=r.rolname)) SELECT format('REVOKE %1$s ON FUNCTION %2$I.%3$I(%4$s) FROM %5$I;', privilege_type, routine_schema, routine_name, parameters, grantee) AS statements FROM privs ORDER BY routine_schema, routine_name;	Revoke unnecessary privileges.

WITH privs AS (SELECT rp.routine_schema, rp.routine_name, 
pg_get_function_identity_arguments(translate(substring(rp.specific_name,'_[0-9]+$'),'_','')::int::oid) AS parameters,
rp.grantee, rp.privilege_type, rp.is_grantable
FROM information_schema.routine_privileges AS rp,
information_schema.routines AS r
WHERE rp.routine_schema NOT IN (SELECT schema_name
FROM INFORMATION_SCHEMA.schemata
WHERE schema_name<>'public' AND
schema_owner='postgres' AND schema_name IS NOT NULL)  AND
rp.routine_schema=r.routine_schema AND 
rp.specific_name=r.specific_name AND
r.data_type='trigger' AND 
grantee<>'PUBLIC' AND
NOT EXISTS (SELECT 1
FROM pg_catalog.pg_roles r
WHERE rolsuper=TRUE AND rp.grantee=r.rolname))
SELECT format('REVOKE %1$s ON FUNCTION %2$I.%3$I(%4$s) FROM %5$I;', privilege_type, routine_schema, routine_name, parameters, grantee) AS statements 
FROM privs
ORDER BY routine_schema, routine_name;

Revoke unnecessary privileges.

Collections

This query belongs to the following collections:

Name	Description
Find problems automatically	Queries, that results point to problems in the database. Each query in the collection produces an initial assessment. However, a human reviewer has the final say as to whether there is a problem or not .

Categories

This query is classified under the following categories:

Name	Description
Security	Queries of this category provide information about the security measures.
Triggers and rules	Queries of this category provide information about triggers and rules in a database.
User-defined routines	Queries of this category provide information about the user-defined routines