From 31085fffb72ce668c529dd0dcd35def2b70980be Mon Sep 17 00:00:00 2001 From: Andrew Klychkov Date: Tue, 12 May 2020 09:34:28 +0300 Subject: [PATCH] postgresql_ping: add session_role and trust_input parameters (#312) * postgresql_ping: add session_role and trust_input parameters * add changelog fragment --- ...esql_ping_add_trust_input_session_role.yml | 3 +++ .../database/postgresql/postgresql_ping.py | 22 +++++++++++++++++++ .../tasks/postgresql_ping_initial.yml | 17 ++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 changelogs/fragments/312-postgresql_ping_add_trust_input_session_role.yml diff --git a/changelogs/fragments/312-postgresql_ping_add_trust_input_session_role.yml b/changelogs/fragments/312-postgresql_ping_add_trust_input_session_role.yml new file mode 100644 index 0000000000..f82c2e9a18 --- /dev/null +++ b/changelogs/fragments/312-postgresql_ping_add_trust_input_session_role.yml @@ -0,0 +1,3 @@ +minor_changes: +- postgresql_ping - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/312). +- postgresql_ping - add the ``session_role`` parameter (https://github.com/ansible-collections/community.general/pull/312). diff --git a/plugins/modules/database/postgresql/postgresql_ping.py b/plugins/modules/database/postgresql/postgresql_ping.py index 8280ce93f7..7c79d48fb1 100644 --- a/plugins/modules/database/postgresql/postgresql_ping.py +++ b/plugins/modules/database/postgresql/postgresql_ping.py @@ -26,6 +26,19 @@ options: type: str aliases: - login_db + session_role: + description: + - Switch to session_role after connecting. The specified session_role must + be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + trust_input: + description: + - If C(no), check whether a value of I(session_role) is potentially dangerous. + - It does make sense to use C(yes) only when SQL injections via I(session_role) are possible. + type: bool + default: yes seealso: - module: postgresql_info author: @@ -72,6 +85,9 @@ except ImportError: pass from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.general.plugins.module_utils.database import ( + check_input, +) from ansible_collections.community.general.plugins.module_utils.postgres import ( connect_to_db, exec_sql, @@ -117,12 +133,18 @@ def main(): argument_spec = postgres_common_argument_spec() argument_spec.update( db=dict(type='str', aliases=['login_db']), + session_role=dict(type='str'), + trust_input=dict(type='bool', default=True), ) module = AnsibleModule( argument_spec=argument_spec, supports_check_mode=True, ) + if not module.params['trust_input']: + # Check input for potentially dangerous elements: + check_input(module, module.params['session_role']) + # Set some default values: cursor = False db_connection = False diff --git a/tests/integration/targets/postgresql_ping/tasks/postgresql_ping_initial.yml b/tests/integration/targets/postgresql_ping/tasks/postgresql_ping_initial.yml index 346134eb4e..9d35d91c19 100644 --- a/tests/integration/targets/postgresql_ping/tasks/postgresql_ping_initial.yml +++ b/tests/integration/targets/postgresql_ping/tasks/postgresql_ping_initial.yml @@ -45,6 +45,7 @@ login_port: 5432 ssl_mode: require ca_cert: '{{ ssl_rootcert }}' + trust_input: yes register: result when: - ansible_os_family == 'Debian' @@ -56,3 +57,19 @@ when: - ansible_os_family == 'Debian' - postgres_version_resp.stdout is version('9.4', '>=') + +- name: postgresql_ping - check trust_input + become_user: "{{ pg_user }}" + become: yes + postgresql_ping: + db: "{{ db_default }}" + login_user: "{{ pg_user }}" + trust_input: no + session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --' + register: result + ignore_errors: yes + +- assert: + that: + - result is failed + - result.msg is search('is potentially dangerous')