Add trust_input to postgresql_user_obj_stat_info (#310)

Have added a trust_input option to the postgresql_user_obj_stat_info
module. This only checks the session_role since all other options are
passed as parameters.

changelogs/fragments/310-postgresql_user_obj_stat_info_add_trust_input.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - postgresql_user_obj_stat_info - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/310).

plugins/modules/database/postgresql/postgresql_user_obj_stat_info.py

@@ -45,6 +45,13 @@ options:
     - Permissions checking for SQL commands is carried out as though
       the session_role were the one that had logged in originally.
     type: str
+  trust_input:
+    description:
+    - If C(no), check the value of I(session_role) is potentially dangerous.
+    - It only makes sense to use C(no) only when SQL injections via I(session_role) are possible.
+    type: bool
+    default: yes
+
 notes:
 - C(size) and C(total_size) returned values are presented in bytes.
 - For tracking function statistics the PostgreSQL C(track_functions) parameter must be enabled.
@@ -57,6 +64,7 @@ seealso:
   link: https://www.postgresql.org/docs/current/monitoring-stats.html
 author:
 - Andrew Klychkov (@Andersson007)
+- Thomas O'Donnell (@andytom)
 extends_documentation_fragment:
 - community.general.postgres
 
@@ -104,6 +112,9 @@ except ImportError:
     pass
 
 from ansible.module_utils.basic import AnsibleModule
+from ansible_collections.community.general.plugins.module_utils.database import (
+    check_input,
+)
 from ansible_collections.community.general.plugins.module_utils.postgres import (
     connect_to_db,
     exec_sql,
@@ -302,6 +313,7 @@ def main():
         filter=dict(type='list', elements='str'),
         session_role=dict(type='str'),
         schema=dict(type='str'),
+        trust_input=dict(type="bool", default=True),
     )
     module = AnsibleModule(
         argument_spec=argument_spec,
@@ -311,6 +323,9 @@ def main():
     filter_ = module.params["filter"]
     schema = module.params["schema"]
 
+    if not module.params["trust_input"]:
+        check_input(module, module.params['session_role'])
+
     # Connect to DB and make cursor object:
     pg_conn_params = get_conn_params(module, module.params)
     # We don't need to commit anything, so, set it to False:

tests/integration/targets/postgresql_user_obj_stat_info/tasks/postgresql_user_obj_stat_info.yml

@@ -1,3 +1,4 @@
+---
 # Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 
@@ -156,6 +157,20 @@
       - result is failed
       - result.msg == "Schema 'nonexistent' does not exist"
 
+  # 4. Test Trust Input
+  - name: Try running with SQL injection
+    <<: *task_parameters
+    postgresql_user_obj_stat_info:
+      <<: *pg_parameters
+      session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
+      trust_input: no
+    ignore_errors: yes
+
+  - assert:
+      that:
+        - result is failed
+        - result.msg is search('is potentially dangerous')
+    
   ##########
   # Clean up
   ##########