Merge pull request #46 from okbob/1.7

1.7

Author: okbob

META.json

@@ -2,15 +2,15 @@
    "name": "plpgsql_check",
    "abstract": "Additional tools for plpgsql functions validation",
    "description": "The plpgsql_check is PostgreSQL extension with functionality for direct or indirect extra validation of functions in plpgsql language. It verifies a validity of SQL identifiers used in plpgsql code. It try to identify a performance issues. Modern versions has integrated profiler. The table and function dependencies can be displayed",
-   "version": "1.5.0",
+   "version": "1.7.0",
    "maintainer": "Pavel STEHULE <pavel.stehule@gmail.com>",
    "license": "bsd",
    "provides": {
       "plpgsql_check": {
          "abstract": "Additional tools for plpgsql functions validation",
          "file": "sql/plpgsql_check_active.sql",
          "docfile": "README.md",
-         "version": "1.5.0"
+         "version": "1.7.0"
       }
    },
    "prereqs": {

Makefile

@@ -2,7 +2,7 @@
 
 MODULE_big = plpgsql_check
 OBJS = $(patsubst %.c,%.o,$(wildcard src/*.c))
-DATA = plpgsql_check--1.6.sql
+DATA = plpgsql_check--1.7.sql
 EXTENSION = plpgsql_check
 
 ifndef MAJORVERSION

README.md

@@ -21,6 +21,7 @@ google group.
 * detection of missing RETURN command in function
 * try to identify unwanted hidden casts, that can be performance issue like unused indexes
 * possibility to collect relations and functions used by function
+* possibility to check EXECUTE stmt agaist SQL injection vulnerability
 
 I invite any ideas, patches, bugreports
 
@@ -151,6 +152,9 @@ You can set level of warnings via function's parameters:
   declared type with type modificator, casting, implicit casts in where clause (can be
   reason why index is not used), ..
 
+* `security_warnings boolean DEFAULT false` - security related checks like SQL injection
+  vulnerability detection
+
 ## Triggers
 
 When you want to check any trigger, you have to enter a relation that will be
@@ -183,6 +187,26 @@ Correct trigger checking (with specified relation)
      error:42703:3:assignment:record "new" has no field "c"
     (1 row)
 
+For triggers with transitive tables you can set a `oldtable` or `newtable` parameters:
+
+    create or replace function footab_trig_func()
+    returns trigger as $$
+    declare x int;
+    begin
+      if false then
+        -- should be ok;
+        select count(*) from newtab into x; 
+
+        -- should fail;
+        select count(*) from newtab where d = 10 into x;
+      end if;
+      return null;
+    end;
+    $$ language plpgsql;
+
+    select * from plpgsql_check_function('footab_trig_func','footab', newtable := 'newtab');
+
+
 ## Mass check
 
 You can use the plpgsql_check_function for mass check functions and mass check

expected/plpgsql_check_active-10.out

@@ -306,3 +306,28 @@ select * from plpgsql_check_function('f1()');
 
 drop function f1();
 drop type _exception_type;
+create table footab(a int, b int, c int);
+create or replace function footab_trig_func()
+returns trigger as $$
+declare x int;
+begin
+  if false then
+    -- should be ok;
+    select count(*) from newtab into x; 
+
+    -- should fail;
+    select count(*) from newtab where d = 10 into x;
+  end if;
+  return null;
+end;
+$$ language plpgsql;
+select * from plpgsql_check_function('footab_trig_func','footab', newtable := 'newtab');
+                plpgsql_check_function                 
+-------------------------------------------------------
+ error:42703:9:SQL statement:column "d" does not exist
+ Query: select count(*) from newtab where d = 10
+ --                                       ^
+(3 rows)
+
+drop table footab;
+drop function footab_trig_func();