ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

postgresql_info: add the trust_input parameter (#308)

Browse source 
* postgresql_info: add the trust_input parameter

* add changelog fragment
This commit is contained in:
Andrew Klychkov 2020-05-09 11:24:20 +03:00 committed by GitHub
parent 156d90ce90
commit acc7bc1ea6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/308-postgresql_info_add_trust_input_parameter.yml Normal file
View file

@ -0,0 +1,2 @@
minor_changes:
- postgresql_info - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/308).

16
plugins/modules/database/postgresql/postgresql_info.py
View file

@ -46,6 +46,12 @@ options:
- Permissions checking for SQL commands is carried out as though - Permissions checking for SQL commands is carried out as though
the session_role were the one that had logged in originally. the session_role were the one that had logged in originally.
type: str type: str
trust_input:
description:
- If C(no), check whether a value of I(session_role) is potentially dangerous.
- It makes sense to use C(yes) only when SQL injections via I(session_role) are possible.
type: bool
default: yes
seealso: seealso:
- module: postgresql_ping - module: postgresql_ping
author: author:
@ -483,6 +489,9 @@ except ImportError:
pass pass
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.database import (
check_input,
)
from ansible_collections.community.general.plugins.module_utils.postgres import ( from ansible_collections.community.general.plugins.module_utils.postgres import (
connect_to_db, connect_to_db,
get_conn_params, get_conn_params,
@ -988,13 +997,18 @@ def main():
db=dict(type='str', aliases=['login_db']), db=dict(type='str', aliases=['login_db']),
filter=dict(type='list', elements='str'), filter=dict(type='list', elements='str'),
session_role=dict(type='str'), session_role=dict(type='str'),
trust_input=dict(type='bool', default=True),
) )
module = AnsibleModule( module = AnsibleModule(
argument_spec=argument_spec, argument_spec=argument_spec,
supports_check_mode=True, supports_check_mode=True,
) )
filter_ = module.params["filter"] filter_ = module.params['filter']
if not module.params['trust_input']:
# Check input for potentially dangerous elements:
check_input(module, module.params['session_role'])
db_conn_obj = PgDbConn(module) db_conn_obj = PgDbConn(module)

17
tests/integration/targets/postgresql_info/tasks/postgresql_info_initial.yml
View file

@ -139,6 +139,7 @@
<<: *pg_parameters <<: *pg_parameters
login_db: '{{ test_db }}' login_db: '{{ test_db }}'
login_port: '{{ master_port }}' login_port: '{{ master_port }}'
trust_input: yes
- assert: - assert:
that: that:
@ -152,3 +153,19 @@
- result.settings - result.settings
- result.tablespaces - result.tablespaces
- result.roles - result.roles
- name: postgresql_info - test trust_input parameter
<<: *task_parameters
postgresql_info:
<<: *pg_parameters
login_db: '{{ test_db }}'
login_port: '{{ master_port }}'
trust_input: no
session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
register: result
ignore_errors: yes
- assert:
that:
- result is failed
- result.msg is search('is potentially dangerous')