Add security definer and search_path to event trigger functions.
commit : 881c617084cac4985b9471426510af05c2a49dd7 author : David Steele <firstname.lastname@example.org> date : Thu, 4 Nov 2021 14:51:17 -0400 committer: GitHub <email@example.com> date : Thu, 4 Nov 2021 14:51:17 -0400
Similar to #156, this prevents users from defining their own versions of functions used in the event triggers. Either one should be sufficient on its own, but both provides better defense against regressions.
R083 pgaudit–1.6.sql pgaudit–1.6.1.sql
Guard against search-path based attacks.
commit : 4c3a5023f871a70549bce4a7d750231c3f54df76 author : Sergey Shinderuk <firstname.lastname@example.org> date : Thu, 4 Nov 2021 18:21:07 +0300 committer: GitHub <email@example.com> date : Thu, 4 Nov 2021 18:21:07 +0300
Use qualified references to functions and operators in the SQL queries executed by the event triggers to prevent users from defining their own functions or operators to replace them. This would not prevent audit logging, but it would allow the user to modify the type and name of the object in the DDL statement being audited.