HIGHSecuritysmallPostgreSQL

Mutable Search Path in Functions

Functions without a fixed search_path are vulnerable to search path injection attacks.

Why This Matters

An attacker can create objects in a schema that appears earlier in the search_path, hijacking function behavior.

Related Rules

RLS Disabled on Public Tables

Security

CRITICAL

Unindexed Foreign Keys

Performance

HIGH

Auth Users Table Exposed to API

Security

CRITICAL

Create Indexes Concurrently

Performance

HIGH

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why This Matters

PostgreSQL functions inherit the caller's search_path by default. An attacker who can create objects in a schema could inject malicious functions or tables that shadow the intended ones.

Detection

Splinter lint 0011 (function_search_path_mutable).

SELECT n.nspname, p.proname
FROM pg_proc p
JOIN pg_namespace n ON p.pronamespace = n.oid
WHERE p.proconfig IS NULL
   OR NOT ('search_path' = ANY(p.proconfig));

Fix

CREATE OR REPLACE FUNCTION my_function()
RETURNS void
LANGUAGE plpgsql
SET search_path = ''
AS $$
BEGIN
  -- Use fully qualified names: public.my_table
END;
$$;

Tools

Splinter lint 0011 (function_search_path_mutable)
plpgsql_check also flags this

Mutable Search Path in Functions

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why This Matters

Detection

Fix

Tools