Unsecure SECURITY DEFINER routines

Goal	SECURITY DEFINER routines must be secured against the malicious use of pg_temp schema. Find routines that do not explicitly set the search path or do it incorrectly (the search path is between quotation marks) and are thus potential targets of the attack. pg_temp must be the last entry in search_path. The lack of search_path is allowed only if the SQL statements in routines explicitly refer to the schemas that contain the schema objects.
Notes	Refers to the column pg_proc.prokind and thus works starting from PostgreSQL 11. The query does not consider the routines that are a part of an extension. In the returned body of routine the query replaces each newline character with the line break (br) tag for the better readability in case the query result is displayed in a web browser. There could be multiple routines with the same name but with different parameters in the same schema (overloading). Thus, for the unique identification of the routine it is necessary to present also its parameters in addition to the schema name and routine name.
Type	Problem detection (Each row in the result could represent a flaw in the design)
Reliability	Medium (Medium number of false-positive results)
License	MIT License
Fixing Suggestion	Set the search path of the routine.
Data Source	INFORMATION_SCHEMA+system catalog
SQL Query	SELECT pg_namespace.nspname AS routine_schema, pg_proc.proname AS routine_name, pg_get_function_identity_arguments(pg_proc.oid) AS parameters, CASE WHEN pg_proc.prokind='f' THEN 'FUNCTION' WHEN pg_proc.prokind='p' THEN 'PROCEDURE' WHEN pg_proc.prokind='w' THEN 'WINDOW FUNCTION' END AS routine_type, array_to_string(proconfig, ',') AS search_path, regexp_replace(pg_get_functiondef(pg_proc.oid),'[\r\n]',' ','g') AS routine_src FROM pg_catalog.pg_proc, pg_catalog.pg_namespace WHERE pg_proc.pronamespace = pg_namespace.oid AND prosecdef=TRUE AND pg_proc.prokind<>'a' AND (array_to_string(proconfig, ';') IS NULL OR array_to_string(proconfig, ';') !~ 'search_path=[^=]*pg_temp(;\|$)') AND pg_namespace.nspname NOT IN (SELECT schema_name FROM INFORMATION_SCHEMA.schemata WHERE schema_name<>'public' AND schema_owner='postgres' AND schema_name IS NOT NULL) AND NOT EXISTS (SELECT 1 FROM pg_catalog.pg_depend d WHERE EXISTS (SELECT 1 FROM pg_catalog.pg_extension e WHERE d.refobjid=e.oid) AND d.objid=pg_proc.oid) ORDER BY routine_schema, routine_name, parameters;

Collections

This query belongs to the following collections:

Name	Description
Find problems automatically	Queries, that results point to problems in the database. Each query in the collection produces an initial assessment. However, a human reviewer has the final say as to whether there is a problem or not .

Categories

This query is classified under the following categories:

Name	Description
Does not work in some earlier PostgreSQL version	Queries of this category provide information that was not available in some earlier PostgreSQL version
Security	Queries of this category provide information about the security measures.
User-defined routines	Queries of this category provide information about the user-defined routines

Further reading and related materials:

Reference
http://www.postgresql.org/docs/current/interactive/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY
https://www.cybertec-postgresql.com/en/abusing-security-definer-functions/