From ac3e51d543e0888f1a2262e57c7691b99643a0cb Mon Sep 17 00:00:00 2001
From: Alex Slade <alex@alexslade.com>
Date: Tue, 24 Dec 2024 23:14:10 +0000
Subject: [PATCH] bug: add search path to postgres functions

This is a minor hardening of postgres security, in response to supabase
advisor warnings.

It's only been added to the new migration generator, it's not serious
enough to try and address elsewhere. This should mean that anyone
setting up a new app will get these new settings.

Closes https://github.com/ash-project/ash_postgres/issues/396
---
 lib/migration_generator/ash_functions.ex | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/migration_generator/ash_functions.ex b/lib/migration_generator/ash_functions.ex
index 369173cb..53b29ac9 100644
--- a/lib/migration_generator/ash_functions.ex
+++ b/lib/migration_generator/ash_functions.ex
@@ -10,6 +10,7 @@ defmodule AshPostgres.MigrationGenerator.AshFunctions do
     CREATE OR REPLACE FUNCTION ash_elixir_or(left BOOLEAN, in right ANYCOMPATIBLE, out f1 ANYCOMPATIBLE)
     AS $$ SELECT COALESCE(NULLIF($1, FALSE), $2) $$
     LANGUAGE SQL
+    SET search_path = ''
     IMMUTABLE;
     \"\"\")
 
@@ -17,6 +18,7 @@ defmodule AshPostgres.MigrationGenerator.AshFunctions do
     CREATE OR REPLACE FUNCTION ash_elixir_or(left ANYCOMPATIBLE, in right ANYCOMPATIBLE, out f1 ANYCOMPATIBLE)
     AS $$ SELECT COALESCE($1, $2) $$
     LANGUAGE SQL
+    SET search_path = ''
     IMMUTABLE;
     \"\"\")
 
@@ -27,6 +29,7 @@ defmodule AshPostgres.MigrationGenerator.AshFunctions do
         ELSE $1
       END $$
     LANGUAGE SQL
+    SET search_path = ''
     IMMUTABLE;
     \"\"\")
 
@@ -37,6 +40,7 @@ defmodule AshPostgres.MigrationGenerator.AshFunctions do
         ELSE $1
       END $$
     LANGUAGE SQL
+    SET search_path = ''
     IMMUTABLE;
     \"\"\")
 
@@ -62,6 +66,7 @@ defmodule AshPostgres.MigrationGenerator.AshFunctions do
         END IF;
     END; $$
     LANGUAGE plpgsql
+    SET search_path = ''
     IMMUTABLE;
     \"\"\")
 
@@ -115,6 +120,7 @@ defmodule AshPostgres.MigrationGenerator.AshFunctions do
         END IF;
     END; $$
     LANGUAGE plpgsql
+    SET search_path = ''
     IMMUTABLE;
     \"\"\")
     """
@@ -177,7 +183,8 @@ defmodule AshPostgres.MigrationGenerator.AshFunctions do
         RAISE EXCEPTION '#{prefix}%', json_data::text;
         RETURN NULL;
     END;
-    $$ LANGUAGE plpgsql;
+    $$ LANGUAGE plpgsql
+    SET search_path = '';
     \"\"\")
 
     execute(\"\"\"
@@ -189,7 +196,8 @@ defmodule AshPostgres.MigrationGenerator.AshFunctions do
         RAISE EXCEPTION '#{prefix}%', json_data::text;
         RETURN NULL;
     END;
-    $$ LANGUAGE plpgsql;
+    $$ LANGUAGE plpgsql
+    SET search_path = '';
     \"\"\")
     """
   end
@@ -220,6 +228,7 @@ defmodule AshPostgres.MigrationGenerator.AshFunctions do
     END
     $$
     LANGUAGE PLPGSQL
+    SET search_path = ''
     VOLATILE;
     \"\"\")
 
@@ -230,6 +239,7 @@ defmodule AshPostgres.MigrationGenerator.AshFunctions do
       SELECT to_timestamp(('x0000' || substr(_uuid::TEXT, 1, 8) || substr(_uuid::TEXT, 10, 4))::BIT(64)::BIGINT::NUMERIC / 1000);
     $$
     LANGUAGE SQL
+    SET search_path = ''
     IMMUTABLE PARALLEL SAFE STRICT;
     \"\"\")
     """