Qualify function calls with pg_catalog schema

The security definer functions `aiven_extras.pg_create_publication` and `aiven_extras.set_pgaudit_parameter` are missing explicit `pg_catalog` schema qualifications for array and string function calls such as `array_length`, `format`, and `left`. Co-authored-by: Etienne Stalmans <etienne.stalmans@aiven.io> Co-authored-by: Kevin Michel <kevin.michel@aiven.io> Co-authored-by: Thomas Krennwallner <teakay@aiven.io>
aiven · May 8, 2023 · 8682ae0 · 8682ae0 · jankatins · May 11, 2023
1 parent bf259fe
commit 8682ae0
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/sql/aiven_extras.sql b/sql/aiven_extras.sql
@@ -426,16 +426,16 @@ DECLARE
   l_parsed_ident TEXT[];
   l_parsed_arg_tables TEXT[];
 BEGIN
-    l_table_count = array_length(arg_tables, 1);
+    l_table_count = pg_catalog.array_length(arg_tables, 1);
     IF l_table_count >= 1
     THEN
         l_parsed_arg_tables = ARRAY[]::TEXT[];
         l_tables_command = 'CREATE PUBLICATION %I FOR TABLE ';
         FOREACH l_ident IN ARRAY arg_tables LOOP
             l_parsed_ident = parse_ident(l_ident);
-            ASSERT array_length(l_parsed_ident, 1) <= 2, 'Only simple table names or tables qualified with schema names allowed';
+            ASSERT pg_catalog.array_length(l_parsed_ident, 1) <= 2, 'Only simple table names or tables qualified with schema names allowed';
             -- Make sure we pass in a simple list of identifiers, so separate the tables from parent schemas
-            IF array_length(l_parsed_ident, 1) = 2
+            IF pg_catalog.array_length(l_parsed_ident, 1) = 2
             THEN
                 l_tables_command = l_tables_command || '%I.%I, ';
             ELSE
@@ -444,12 +444,12 @@ BEGIN
             l_parsed_arg_tables = l_parsed_arg_tables || l_parsed_ident;
         END LOOP;
         -- Remove trailing comma and whitespace, add the rest
-        l_tables_command = left(l_tables_command, -2) || ' WITH (publish = %I)';
-        EXECUTE format(l_tables_command, VARIADIC array[arg_publication_name] || l_parsed_arg_tables || arg_publish);
+        l_tables_command = pg_catalog.left(l_tables_command, -2) || ' WITH (publish = %I)';
+        EXECUTE pg_catalog.format(l_tables_command, VARIADIC array[arg_publication_name] || l_parsed_arg_tables || arg_publish);
     ELSE
-        EXECUTE format('CREATE PUBLICATION %I WITH (publish = %I)', arg_publication_name, arg_publish);
+        EXECUTE pg_catalog.format('CREATE PUBLICATION %I WITH (publish = %I)', arg_publication_name, arg_publish);
     END IF;
-    EXECUTE format('ALTER PUBLICATION %I OWNER TO %I', arg_publication_name, session_user);
+    EXECUTE pg_catalog.format('ALTER PUBLICATION %I OWNER TO %I', arg_publication_name, session_user);
 END;
 $$;
 
@@ -489,7 +489,7 @@ BEGIN
         RAISE EXCEPTION 'Invalid parameter: %', arg_parameter;
     END IF;
 
-    EXECUTE format('ALTER DATABASE %I SET pgaudit.%I = %L',
+    EXECUTE pg_catalog.format('ALTER DATABASE %I SET pgaudit.%I = %L',
         arg_database,
         arg_parameter,
         arg_value