postgresql_info: add the trust_input parameter (#308)

* postgresql_info: add the trust_input parameter * add changelog fragment
2024-09-14 20:13:21 +02:00 · 2020-05-09 11:24:20 +03:00 · 2020-05-09 11:24:20 +03:00 · acc7bc1ea6
commit acc7bc1ea6
parent 156d90ce90
3 changed files with 34 additions and 1 deletions
--- a/changelogs/fragments/308-postgresql_info_add_trust_input_parameter.yml
+++ b/changelogs/fragments/308-postgresql_info_add_trust_input_parameter.yml
@ -0,0 +1,2 @@
+minor_changes:
+- postgresql_info - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/308).
--- a/plugins/modules/database/postgresql/postgresql_info.py
+++ b/plugins/modules/database/postgresql/postgresql_info.py
@ -46,6 +46,12 @@ options:
    - Permissions checking for SQL commands is carried out as though
      the session_role were the one that had logged in originally.
    type: str
+  trust_input:
+    description:
+    - If C(no), check whether a value of I(session_role) is potentially dangerous.
+    - It makes sense to use C(yes) only when SQL injections via I(session_role) are possible.
+    type: bool
+    default: yes
 seealso:
 - module: postgresql_ping
 author:
@ -483,6 +489,9 @@ except ImportError:
    pass

 from ansible.module_utils.basic import AnsibleModule
+from ansible_collections.community.general.plugins.module_utils.database import (
+    check_input,
+)
 from ansible_collections.community.general.plugins.module_utils.postgres import (
    connect_to_db,
    get_conn_params,
@ -988,13 +997,18 @@ def main():
        db=dict(type='str', aliases=['login_db']),
        filter=dict(type='list', elements='str'),
        session_role=dict(type='str'),
+        trust_input=dict(type='bool', default=True),
    )
    module = AnsibleModule(
        argument_spec=argument_spec,
        supports_check_mode=True,
    )

-    filter_ = module.params["filter"]
+    filter_ = module.params['filter']
+
+    if not module.params['trust_input']:
+        # Check input for potentially dangerous elements:
+        check_input(module, module.params['session_role'])

    db_conn_obj = PgDbConn(module)

--- a/tests/integration/targets/postgresql_info/tasks/postgresql_info_initial.yml
+++ b/tests/integration/targets/postgresql_info/tasks/postgresql_info_initial.yml
@ -139,6 +139,7 @@
      <<: *pg_parameters
      login_db: '{{ test_db }}'
      login_port: '{{ master_port }}'
+      trust_input: yes

  - assert:
      that:
@ -152,3 +153,19 @@
      - result.settings
      - result.tablespaces
      - result.roles
+
+  - name: postgresql_info - test trust_input parameter
+    <<: *task_parameters
+    postgresql_info:
+      <<: *pg_parameters
+      login_db: '{{ test_db }}'
+      login_port: '{{ master_port }}'
+      trust_input: no
+      session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
+    register: result
+    ignore_errors: yes
+
+  - assert:
+      that:
+      - result is failed
+      - result.msg is search('is potentially dangerous')