percona / pg_stat_monitor

Query Performance Monitoring Tool for PostgreSQL
https://docs.percona.com/pg-stat-monitor/
Other
477 stars 59 forks source link

Non-generalised query items should not be visible to non-super user #417

Closed dutow closed 4 months ago

dutow commented 1 year ago

This is a security threat that a non-super user can see the user data using pg_stat_monitor. For example

SELECT id, Name from cards where card_no like "1235-1253-3735-2674";

pg_stat_statments and pg_stat_monitor (Generalized mode) show this SELECT id, Name from cards where card_no like "?";

But in the non-generalized option, pg_stat_monitor will show the original data.

SELECT id, Name from cards where card_no like "1235-1253-3735-2674";

https://jira.percona.com/browse/PG-565

ImTheKai commented 4 months ago

Will be tracked here https://jira.percona.com/browse/PG-565