ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

postgresql_set: add trust_input parameter (#302)

Browse source 
* postgresql_set: add trust_input parameter

* add changelog fragment

* fix CI
This commit is contained in:
Andrew Klychkov 2020-05-12 10:03:40 +03:00 committed by GitHub
parent 31085fffb7
commit afe2946cce
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 40 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/302-postgresql_set_add_trust_input_parameter.yml Normal file
View file

@ -0,0 +1,2 @@
minor_changes:
- postgresql_set - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/302).

22
plugins/modules/database/postgresql/postgresql_set.py
View file

@ -59,6 +59,12 @@ options:
type: str type: str
aliases: aliases:
- login_db - login_db
trust_input:
description:
- If C(no), check whether values of parameters are potentially dangerous.
- It does make sense to use C(yes) only when SQL injections are possible.
type: bool
default: yes
notes: notes:
- Supported version of PostgreSQL is 9.4 and later. - Supported version of PostgreSQL is 9.4 and later.
- Pay attention, change setting with 'postmaster' context can return changed is true - Pay attention, change setting with 'postmaster' context can return changed is true
@ -166,6 +172,9 @@ except Exception:
from copy import deepcopy from copy import deepcopy
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.database import (
check_input,
)
from ansible_collections.community.general.plugins.module_utils.postgres import ( from ansible_collections.community.general.plugins.module_utils.postgres import (
connect_to_db, connect_to_db,
get_conn_params, get_conn_params,
@ -287,15 +296,22 @@ def main():
value=dict(type='str'), value=dict(type='str'),
reset=dict(type='bool'), reset=dict(type='bool'),
session_role=dict(type='str'), session_role=dict(type='str'),
trust_input=dict(type='bool', default=True),
) )
module = AnsibleModule( module = AnsibleModule(
argument_spec=argument_spec, argument_spec=argument_spec,
supports_check_mode=True, supports_check_mode=True,
) )
name = module.params["name"] name = module.params['name']
value = module.params["value"] value = module.params['value']
reset = module.params["reset"] reset = module.params['reset']
session_role = module.params['session_role']
trust_input = module.params['trust_input']
if not trust_input:
# Check input for potentially dangerous elements:
check_input(module, name, value, session_role)
# Allow to pass values like 1mb instead of 1MB, etc: # Allow to pass values like 1mb instead of 1MB, etc:
if value: if value:

19
tests/integration/targets/postgresql_set/tasks/postgresql_set_initial.yml
View file

@ -288,6 +288,7 @@
<<: *task_parameters <<: *task_parameters
postgresql_set: postgresql_set:
<<: *pg_parameters <<: *pg_parameters
trust_input: yes
name: archive_command name: archive_command
value: 'test ! -f /mnt/postgres/mb/%f && cp %p /mnt/postgres/mb/%f' value: 'test ! -f /mnt/postgres/mb/%f && cp %p /mnt/postgres/mb/%f'
@ -302,3 +303,21 @@
- assert: - assert:
that: that:
- result.query_result.0.reset_val == "test ! -f /mnt/postgres/mb/%f && cp %p /mnt/postgres/mb/%f" - result.query_result.0.reset_val == "test ! -f /mnt/postgres/mb/%f && cp %p /mnt/postgres/mb/%f"
#############################
# Check trust_input parameter
- name: postgresql_set - check trust_input
<<: *task_parameters
postgresql_set:
<<: *pg_parameters
name: shared_buffers
value: 111MB
trust_input: no
session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
register: result
ignore_errors: yes
- assert:
that:
- result is failed
- result.msg is search('is potentially dangerous')