1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

postgresql_table: add the trust_input parameter (#307)

* postgresql_table: add the trust_input parameter

* add changelog fragment
This commit is contained in:
Andrew Klychkov 2020-05-09 11:23:33 +03:00 committed by GitHub
parent f2af41d842
commit 156d90ce90
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 62 additions and 26 deletions

View file

@ -0,0 +1,2 @@
minor_changes:
- postgresql_table - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/307).

View file

@ -99,6 +99,12 @@ options:
Used with I(state=absent) only. Used with I(state=absent) only.
type: bool type: bool
default: no default: no
trust_input:
description:
- If C(no), check whether values of parameters are potentially dangerous.
- It makes sense to use C(yes) only when SQL injections are possible.
type: bool
default: yes
notes: notes:
- If you do not pass db parameter, tables will be created in the database - If you do not pass db parameter, tables will be created in the database
named postgres. named postgres.
@ -244,7 +250,10 @@ except ImportError:
pass pass
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.database import pg_quote_identifier from ansible_collections.community.general.plugins.module_utils.database import (
check_input,
pg_quote_identifier,
)
from ansible_collections.community.general.plugins.module_utils.postgres import ( from ansible_collections.community.general.plugins.module_utils.postgres import (
connect_to_db, connect_to_db,
exec_sql, exec_sql,
@ -365,7 +374,7 @@ class Table(object):
query += " WITH (%s)" % params query += " WITH (%s)" % params
if tblspace: if tblspace:
query += " TABLESPACE %s" % pg_quote_identifier(tblspace, 'database') query += ' TABLESPACE "%s"' % tblspace
if exec_sql(self, query, return_bool=True): if exec_sql(self, query, return_bool=True):
changed = True changed = True
@ -412,7 +421,7 @@ class Table(object):
query += " WITH (%s)" % params query += " WITH (%s)" % params
if tblspace: if tblspace:
query += " TABLESPACE %s" % pg_quote_identifier(tblspace, 'database') query += ' TABLESPACE "%s"' % tblspace
if exec_sql(self, query, return_bool=True): if exec_sql(self, query, return_bool=True):
changed = True changed = True
@ -432,8 +441,7 @@ class Table(object):
return exec_sql(self, query, return_bool=True) return exec_sql(self, query, return_bool=True)
def set_owner(self, username): def set_owner(self, username):
query = "ALTER TABLE %s OWNER TO %s" % (pg_quote_identifier(self.name, 'table'), query = 'ALTER TABLE %s OWNER TO "%s"' % (pg_quote_identifier(self.name, 'table'), username)
pg_quote_identifier(username, 'role'))
return exec_sql(self, query, return_bool=True) return exec_sql(self, query, return_bool=True)
def drop(self, cascade=False): def drop(self, cascade=False):
@ -446,8 +454,7 @@ class Table(object):
return exec_sql(self, query, return_bool=True) return exec_sql(self, query, return_bool=True)
def set_tblspace(self, tblspace): def set_tblspace(self, tblspace):
query = "ALTER TABLE %s SET TABLESPACE %s" % (pg_quote_identifier(self.name, 'table'), query = 'ALTER TABLE %s SET TABLESPACE "%s"' % (pg_quote_identifier(self.name, 'table'), tblspace)
pg_quote_identifier(tblspace, 'database'))
return exec_sql(self, query, return_bool=True) return exec_sql(self, query, return_bool=True)
def set_stor_params(self, params): def set_stor_params(self, params):
@ -464,7 +471,7 @@ def main():
argument_spec = postgres_common_argument_spec() argument_spec = postgres_common_argument_spec()
argument_spec.update( argument_spec.update(
table=dict(type='str', required=True, aliases=['name']), table=dict(type='str', required=True, aliases=['name']),
state=dict(type='str', default="present", choices=["absent", "present"]), state=dict(type='str', default='present', choices=['absent', 'present']),
db=dict(type='str', default='', aliases=['login_db']), db=dict(type='str', default='', aliases=['login_db']),
tablespace=dict(type='str'), tablespace=dict(type='str'),
owner=dict(type='str'), owner=dict(type='str'),
@ -477,24 +484,32 @@ def main():
storage_params=dict(type='list', elements='str'), storage_params=dict(type='list', elements='str'),
session_role=dict(type='str'), session_role=dict(type='str'),
cascade=dict(type='bool', default=False), cascade=dict(type='bool', default=False),
trust_input=dict(type='bool', default=True),
) )
module = AnsibleModule( module = AnsibleModule(
argument_spec=argument_spec, argument_spec=argument_spec,
supports_check_mode=True, supports_check_mode=True,
) )
table = module.params["table"] table = module.params['table']
state = module.params["state"] state = module.params['state']
tablespace = module.params["tablespace"] tablespace = module.params['tablespace']
owner = module.params["owner"] owner = module.params['owner']
unlogged = module.params["unlogged"] unlogged = module.params['unlogged']
like = module.params["like"] like = module.params['like']
including = module.params["including"] including = module.params['including']
newname = module.params["rename"] newname = module.params['rename']
storage_params = module.params["storage_params"] storage_params = module.params['storage_params']
truncate = module.params["truncate"] truncate = module.params['truncate']
columns = module.params["columns"] columns = module.params['columns']
cascade = module.params["cascade"] cascade = module.params['cascade']
session_role = module.params['session_role']
trust_input = module.params['trust_input']
if not trust_input:
# Check input for potentially dangerous elements:
check_input(module, table, tablespace, owner, like, including,
newname, storage_params, columns, session_role)
if state == 'present' and cascade: if state == 'present' and cascade:
module.warn("cascade=true is ignored when state=present") module.warn("cascade=true is ignored when state=present")

View file

@ -53,7 +53,7 @@
postgresql_query: postgresql_query:
db: postgres db: postgres
login_user: "{{ pg_user }}" login_user: "{{ pg_user }}"
query: "SELECT 1 FROM pg_stat_all_tables WHERE relname ='test1'" query: "SELECT 1 FROM pg_stat_all_tables WHERE relname = 'test1'"
ignore_errors: yes ignore_errors: yes
register: result register: result
@ -92,7 +92,7 @@
postgresql_query: postgresql_query:
db: postgres db: postgres
login_user: "{{ pg_user }}" login_user: "{{ pg_user }}"
query: "SELECT 1 FROM pg_stat_all_tables WHERE relname ='test1'" query: "SELECT 1 FROM pg_stat_all_tables WHERE relname = 'test1'"
ignore_errors: yes ignore_errors: yes
register: result register: result
@ -146,7 +146,7 @@
postgresql_query: postgresql_query:
db: postgres db: postgres
login_user: "{{ pg_user }}" login_user: "{{ pg_user }}"
query: "SELECT 1 FROM pg_stat_all_tables WHERE relname ='test2'" query: "SELECT 1 FROM pg_stat_all_tables WHERE relname = 'test2'"
ignore_errors: yes ignore_errors: yes
register: result register: result
@ -183,7 +183,7 @@
postgresql_query: postgresql_query:
db: postgres db: postgres
login_user: "{{ pg_user }}" login_user: "{{ pg_user }}"
query: "SELECT 1 FROM pg_stat_all_tables WHERE relname ='test2'" query: "SELECT 1 FROM pg_stat_all_tables WHERE relname = 'test2'"
ignore_errors: yes ignore_errors: yes
register: result register: result
@ -224,7 +224,7 @@
postgresql_query: postgresql_query:
db: postgres db: postgres
login_user: "{{ pg_user }}" login_user: "{{ pg_user }}"
query: "SELECT 1 FROM pg_stat_all_tables WHERE relname ='test2'" query: "SELECT 1 FROM pg_stat_all_tables WHERE relname = 'test2'"
ignore_errors: yes ignore_errors: yes
register: result register: result
@ -257,7 +257,7 @@
postgresql_query: postgresql_query:
db: postgres db: postgres
login_user: "{{ pg_user }}" login_user: "{{ pg_user }}"
query: "SELECT 1 FROM pg_stat_all_tables WHERE relname ='test2'" query: "SELECT 1 FROM pg_stat_all_tables WHERE relname = 'test2'"
ignore_errors: yes ignore_errors: yes
register: result register: result
@ -846,6 +846,7 @@
login_user: "{{ pg_user }}" login_user: "{{ pg_user }}"
name: public.test_schema_table name: public.test_schema_table
rename: new_test_schema_table rename: new_test_schema_table
trust_input: yes
register: result register: result
- assert: - assert:
@ -853,6 +854,24 @@
- result is changed - result is changed
- result.queries == ['ALTER TABLE "public"."test_schema_table" RENAME TO "new_test_schema_table"'] - result.queries == ['ALTER TABLE "public"."test_schema_table" RENAME TO "new_test_schema_table"']
############################
# Test trust_input parameter
- name: postgresql_table - check trust_input
postgresql_table:
db: postgres
login_user: "{{ pg_user }}"
name: postgres.acme.test_schema_table
state: absent
trust_input: no
session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
register: result
ignore_errors: yes
- assert:
that:
- result is failed
- result.msg is search('is potentially dangerous')
# #
# Clean up # Clean up
# #