Set safe path

2019-10-07 16:23:07 +02:00
parent 80ab38a0c9
commit 33b723fa3d
7 changed files with 17 additions and 8 deletions
--- a/client/renderer/templates/20_public_functions.erb
+++ b/client/renderer/templates/20_public_functions.erb
@@ -26,4 +26,5 @@ BEGIN

  <% return_statement do %><%= DATASERVICES_CLIENT_SCHEMA %>._<%= name %>(<%= params(_with_user_org=true).join(', ') %>)<% end %>
 END;
-$$ LANGUAGE 'plpgsql' SECURITY DEFINER STABLE PARALLEL UNSAFE;
+$$  LANGUAGE 'plpgsql' SECURITY DEFINER STABLE PARALLEL UNSAFE
+    SET search_path = pg_temp;
--- a/client/renderer/templates/25_exception_safe_private_functions.erb
+++ b/client/renderer/templates/25_exception_safe_private_functions.erb
@@ -37,4 +37,5 @@ BEGIN
        <%= return_statement %>
  END;
 END;
-$$ LANGUAGE 'plpgsql' SECURITY DEFINER STABLE PARALLEL UNSAFE;
+$$  LANGUAGE 'plpgsql' SECURITY DEFINER STABLE PARALLEL UNSAFE
+    SET search_path = pg_temp;
--- a/client/sql/15_config_management.sql
+++ b/client/sql/15_config_management.sql
@@ -31,4 +31,6 @@ BEGIN
    result.apikey_permissions = apikey_config->'permissions';
    RETURN result;
 END;
-$$ LANGUAGE 'plpgsql' SECURITY DEFINER STABLE PARALLEL SAFE;
+$$  LANGUAGE 'plpgsql' SECURITY DEFINER STABLE PARALLEL SAFE
+    SET search_path = pg_temp;
+
--- a/client/sql/20_table_augmentation.sql
+++ b/client/sql/20_table_augmentation.sql
@@ -41,7 +41,9 @@ BEGIN

  RETURN result;
 END;
-$$ LANGUAGE 'plpgsql' SECURITY DEFINER VOLATILE PARALLEL UNSAFE;
+$$  LANGUAGE 'plpgsql' SECURITY DEFINER VOLATILE PARALLEL UNSAFE
+    SET search_path = pg_temp;
+

 CREATE OR REPLACE FUNCTION cdb_dataservices_client._DST_PopulateTableOBS_GetMeasure(
    table_name text,
@@ -89,7 +91,9 @@ BEGIN

  RETURN result;
 END;
-$$ LANGUAGE 'plpgsql' SECURITY DEFINER VOLATILE PARALLEL UNSAFE;
+$$  LANGUAGE 'plpgsql' SECURITY DEFINER VOLATILE PARALLEL UNSAFE
+    SET search_path = pg_temp;
+


 CREATE OR REPLACE FUNCTION cdb_dataservices_client.__DST_PrepareTableOBS_GetMeasure(
--- a/client/sql/21_bulk_geocoding_functions.sql
+++ b/client/sql/21_bulk_geocoding_functions.sql
@@ -86,4 +86,5 @@ BEGIN

  RETURN QUERY EXECUTE 'SELECT * FROM ' || quote_ident(temp_table_name);
 END;
-$$ LANGUAGE 'plpgsql' SECURITY DEFINER VOLATILE PARALLEL UNSAFE;
+$$  LANGUAGE 'plpgsql' SECURITY DEFINER VOLATILE PARALLEL UNSAFE
+    SET search_path = pg_temp;
--- a/client/test/expected/21_bulk_geocoding_functions_test.out
+++ b/client/test/expected/21_bulk_geocoding_functions_test.out
@@ -15,7 +15,7 @@ RETURNS SETOF cdb_dataservices_client.geocoding AS $$
 BEGIN
  RAISE NOTICE 'called with this searches: %', searches;
 END;
-$$ LANGUAGE 'plpgsql' SECURITY DEFINER STABLE PARALLEL UNSAFE;
+$$ LANGUAGE 'plpgsql' SECURITY DEFINER STABLE PARALLEL UNSAFE SET search_path = pg_temp;
 -- No permissions granted
 -- Test bulk size not mandatory (it will get the optimal)
 SELECT cdb_dataservices_client.cdb_bulk_geocode_street_point('select 1 as cartodb_id', '''Valladolid, Spain''', null, null, null, null);
--- a/client/test/sql/21_bulk_geocoding_functions_test.sql
+++ b/client/test/sql/21_bulk_geocoding_functions_test.sql
@@ -18,7 +18,7 @@ RETURNS SETOF cdb_dataservices_client.geocoding AS $$
 BEGIN
  RAISE NOTICE 'called with this searches: %', searches;
 END;
-$$ LANGUAGE 'plpgsql' SECURITY DEFINER STABLE PARALLEL UNSAFE;
+$$ LANGUAGE 'plpgsql' SECURITY DEFINER STABLE PARALLEL UNSAFE SET search_path = pg_temp;

 -- No permissions granted
 -- Test bulk size not mandatory (it will get the optimal)