When doing database auto-discovery, exclude all databases marked as templates and any databases that do not allow connections.
It's conceivable, but not very likely, that someone could want to scrape metrics from a template DB, but pg_exporter currently defaults to excluding template1 anyway. postgres_exporter also has the same behaviour of excluding template DBs from discovery. So I did not add a CLI option to override this behaviour.
Additionally, schema-qualify references to pg_database and the pg_is_in_recovery function call in the database discovery query to guarantee protection against any possible search_path based attacks. I can't immediately see how it'd be possible in this case, so it's not a vulnerability, but it's best practice to always schema-qualify everything in any query that could possibly be run as a privileged role.
When doing database auto-discovery, exclude all databases marked as templates and any databases that do not allow connections.
It's conceivable, but not very likely, that someone could want to scrape metrics from a template DB, but pg_exporter currently defaults to excluding template1 anyway. postgres_exporter also has the same behaviour of excluding template DBs from discovery. So I did not add a CLI option to override this behaviour.
Additionally, schema-qualify references to
pg_databaseand thepg_is_in_recoveryfunction call in the database discovery query to guarantee protection against any possiblesearch_pathbased attacks. I can't immediately see how it'd be possible in this case, so it's not a vulnerability, but it's best practice to always schema-qualify everything in any query that could possibly be run as a privileged role.