On Thursday, May 5, 2022, Andrew Borodin <
amborodin86@gmail.com> wrote:
On Thu, May 5, 2022 at 11:32 PM Jan Katins <jasc@gmx.net> wrote:
>
> The aiven-extras repo has a workaround for that, using dblink: https://github.com/aiven/aiven-extras/commit/eb8c1107ca91a7da5ecb0c8127c94ce42762881d
> SECURITY DEFINER
> pg_catalog.format('ALTER SUBSCRIPTION %I REFRESH PUBLICATION WITH (copy_data=%s)', arg_subscription_name, arg_copy_data::TEXT)
Doesn't this constitute Bobby-tables SQL injection?
How do you suppose the caller of the function gets the passed in boolean, when cast to text, to print anything other than “t” or “f” (null might bork things but still not unsafe)?
The %I handles the name.
David J.