1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

postgresql_info: add the trust_input parameter (#308)

* postgresql_info: add the trust_input parameter

* add changelog fragment
This commit is contained in:
Andrew Klychkov 2020-05-09 11:24:20 +03:00 committed by GitHub
parent 156d90ce90
commit acc7bc1ea6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 1 deletions

View file

@ -0,0 +1,2 @@
minor_changes:
- postgresql_info - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/308).

View file

@ -46,6 +46,12 @@ options:
- Permissions checking for SQL commands is carried out as though
the session_role were the one that had logged in originally.
type: str
trust_input:
description:
- If C(no), check whether a value of I(session_role) is potentially dangerous.
- It makes sense to use C(yes) only when SQL injections via I(session_role) are possible.
type: bool
default: yes
seealso:
- module: postgresql_ping
author:
@ -483,6 +489,9 @@ except ImportError:
pass
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.database import (
check_input,
)
from ansible_collections.community.general.plugins.module_utils.postgres import (
connect_to_db,
get_conn_params,
@ -988,13 +997,18 @@ def main():
db=dict(type='str', aliases=['login_db']),
filter=dict(type='list', elements='str'),
session_role=dict(type='str'),
trust_input=dict(type='bool', default=True),
)
module = AnsibleModule(
argument_spec=argument_spec,
supports_check_mode=True,
)
filter_ = module.params["filter"]
filter_ = module.params['filter']
if not module.params['trust_input']:
# Check input for potentially dangerous elements:
check_input(module, module.params['session_role'])
db_conn_obj = PgDbConn(module)

View file

@ -139,6 +139,7 @@
<<: *pg_parameters
login_db: '{{ test_db }}'
login_port: '{{ master_port }}'
trust_input: yes
- assert:
that:
@ -152,3 +153,19 @@
- result.settings
- result.tablespaces
- result.roles
- name: postgresql_info - test trust_input parameter
<<: *task_parameters
postgresql_info:
<<: *pg_parameters
login_db: '{{ test_db }}'
login_port: '{{ master_port }}'
trust_input: no
session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
register: result
ignore_errors: yes
- assert:
that:
- result is failed
- result.msg is search('is potentially dangerous')