postgresql_privs: add trust_input parameter (#177)

* postgresql_privs: add trust_input parameter

* add changelog fragment

changelogs/fragments/177-postgresql_privs_add_trust_input_parameter.yml

@@ -0,0 +1,2 @@
+minor_changes:
+- postgresql_privs - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/177).

plugins/module_utils/database.py

@@ -191,6 +191,9 @@ def check_input(module, *args):
                 if is_input_dangerous(e):
                     dangerous_elements.append(e)
 
+        elif elem is None or isinstance(elem, bool):
+            pass
+
         else:
             elem = str(elem)
             if is_input_dangerous(elem):

plugins/modules/database/postgresql/postgresql_privs.py

@@ -157,6 +157,11 @@ options:
     type: str
     aliases:
     - ssl_rootcert
+  trust_input:
+    description:
+    - If C(no), check whether values of some parameters are potentially dangerous.
+    type: bool
+    default: yes
 
 notes:
 - Parameters that accept comma separated lists (I(privs), I(objs), I(roles))
@@ -417,7 +422,10 @@ except ImportError:
 
 # import module snippets
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
-from ansible_collections.community.general.plugins.module_utils.database import pg_quote_identifier
+from ansible_collections.community.general.plugins.module_utils.database import (
+    pg_quote_identifier,
+    check_input,
+)
 from ansible_collections.community.general.plugins.module_utils.postgres import postgres_common_argument_spec
 from ansible.module_utils._text import to_native
 
@@ -943,6 +951,7 @@ def main():
         login=dict(default='postgres', aliases=['login_user']),
         password=dict(default='', aliases=['login_password'], no_log=True),
         fail_on_role=dict(type='bool', default=True),
+        trust_input=dict(type='bool', default=True),
     )
 
     module = AnsibleModule(
@@ -977,6 +986,11 @@ def main():
         module.fail_json(msg='Argument "privs" is required '
                              'for type "%s".' % p.type)
 
+    # Check input
+    if not p.trust_input:
+        # Check input for potentially dangerous elements:
+        check_input(module, p.roles, p.target_roles, p.session_role, p.schema)
+
     # Connect to Database
     if not psycopg2:
         module.fail_json(msg=missing_required_lib('psycopg2'), exception=PSYCOPG2_IMP_ERR)

tests/integration/targets/postgresql_privs/defaults/main.yml

@@ -6,3 +6,4 @@ db_user_with_dots1: role.with.dots1
 db_user_with_dots2: role.with.dots2
 db_session_role1: session_role1
 db_session_role2: session_role2
+dangerous_name: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'

tests/integration/targets/postgresql_privs/tasks/postgresql_privs_general.yml

@@ -62,6 +62,7 @@
     type: table
     objs: test_view
     roles: "{{ db_user2 }}"
+    trust_input: no
   check_mode: yes
   register: result
 

tests/integration/targets/postgresql_privs/tasks/postgresql_privs_session_role.yml

@@ -77,3 +77,26 @@
 - assert:
     that:
       - result is failed
+
+########################
+# Test trust_input param
+
+- name: Verify trust_input parameter
+  become_user: "{{ pg_user }}"
+  become: yes
+  postgresql_privs:
+    db: "{{ db_session_role1 }}"
+    type: table
+    objs: test2
+    roles: "{{ db_session_role1 }}"
+    login_user: "{{ pg_user }}"
+    privs: update
+    session_role: "{{ dangerous_name }}"
+    trust_input: no
+  ignore_errors: yes
+  register: result
+
+- assert:
+    that:
+      - result is failed
+      - result.msg == 'Passed input \'{{ dangerous_name }}\' is potentially dangerous'