Skip to content

Update Postgres function definition of datadog.explain_statement to use a read-only transaction #21349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update Postgres function definition of datadog.explain_statement to use a read-only transaction #21349

wants to merge 1 commit into from

Conversation

dujuku
Copy link
Contributor

@dujuku dujuku commented Sep 15, 2025
edited
Loading

What does this PR do?

Ensures the datadog.explain_statement statement executes with read-only transaction state. While this change does not affect the behavior of the Agent (only the test data is changed), the function definition will be modified in the documentation to match this.

Documentation PR: DataDog/documentation#31654

Motivation

There is no known vulnerability to execute the query passed to the function or escape the EXPLAIN command, however this mitigates the blast radius if such a vulnerability is discovered.

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
  • Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
  • If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

@dujuku dujuku requested review from a team as code owners September 15, 2025 20:58
@github-actions GitHub Actions
Copy link

⚠️ Recommendation: Add qa/skip-qa Label

This PR does not modify any files shipped with the agent.

To help streamline the release process, please consider adding the qa/skip-qa label if these changes do not require QA testing.

@dujuku dujuku mentioned this pull request Sep 15, 2025
Draft
1 task
@jasonmp85
Copy link
Contributor

Looks good to me.

jasonmp85
jasonmp85 approved these changes Sep 15, 2025
View reviewed changes
Copy link
Contributor

@jasonmp85 jasonmp85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternative to this, we could:

  • Change the function to be SECURITY INVOKER, so someone running it with low privileges is necessarily limited to those privileges (rather than running as the creator of the function)
  • Change the creator of the function to be a user that is read-only

However, this change seems the quickest for now; I think it makes sense to ship this.

@codecov Codecov
Copy link

codecov bot commented Sep 16, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.25%. Comparing base (df8de38) to head (512c4b6).

Additional details and impacted files
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@AAraKKe
Copy link
Contributor

AAraKKe commented Sep 26, 2025

@dujuku I just relaunched the test that failed since this PR has some time already. Just want to see if it is a flake.

As a side note, please avoid using the no-changelog label. As you can see, after removing it, the job does not complain because this is not a PR worth of a changelog. By using the label we can miss PRs that need a changelog and do not have it.

Anything that is shipped with the agent needs to have a changelog and when we have a PR without one this delays the release process.

Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonmp85 jasonmp85 jasonmp85 approved these changes

@lu-zhengda lu-zhengda lu-zhengda approved these changes

Assignees
No one assigned
Labels
ecosystems/review-requested integration/postgres product/review-requested team/agent-integrations team/database-monitoring-agent
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dujuku @jasonmp85 @AAraKKe @lu-zhengda