ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

postgresql_query: add trust_input parameter (#294)

Browse source 
* postgresql_query: add trust_input parameter

* add changelog fragment

* fix CI
This commit is contained in:
Andrew Klychkov 2020-05-07 12:49:53 +03:00 committed by GitHub
parent e4dd15a746
commit c47a2128ca
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 83 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/294-postgresql_query_add_trust_input_parameter.yml Normal file
View file

@ -0,0 +1,2 @@
minor_changes:
- postgresql_query - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/294).

16
plugins/modules/database/postgresql/postgresql_query.py
View file

@ -73,6 +73,12 @@ options:
- Set the client encoding for the current session (e.g. C(UTF-8)). - Set the client encoding for the current session (e.g. C(UTF-8)).
- The default is the encoding defined by the database. - The default is the encoding defined by the database.
type: str type: str
trust_input:
description:
- If C(no), check whether a value of I(session_role) is potentially dangerous.
- It does make sense to use C(yes) only when SQL injections via I(session_role) are possible.
type: bool
default: yes
seealso: seealso:
- module: postgresql_db - module: postgresql_db
author: author:
@ -186,6 +192,9 @@ except ImportError:
pass pass
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.database import (
check_input,
)
from ansible_collections.community.general.plugins.module_utils.postgres import ( from ansible_collections.community.general.plugins.module_utils.postgres import (
connect_to_db, connect_to_db,
get_conn_params, get_conn_params,
@ -248,6 +257,7 @@ def main():
path_to_script=dict(type='path'), path_to_script=dict(type='path'),
autocommit=dict(type='bool', default=False), autocommit=dict(type='bool', default=False),
encoding=dict(type='str'), encoding=dict(type='str'),
trust_input=dict(type='bool', default=True),
) )
module = AnsibleModule( module = AnsibleModule(
@ -262,6 +272,12 @@ def main():
path_to_script = module.params["path_to_script"] path_to_script = module.params["path_to_script"]
autocommit = module.params["autocommit"] autocommit = module.params["autocommit"]
encoding = module.params["encoding"] encoding = module.params["encoding"]
session_role = module.params["session_role"]
trust_input = module.params["trust_input"]
if not trust_input:
# Check input for potentially dangerous elements:
check_input(module, session_role)
if autocommit and module.check_mode: if autocommit and module.check_mode:
module.fail_json(msg="Using autocommit is mutually exclusive with check_mode") module.fail_json(msg="Using autocommit is mutually exclusive with check_mode")

65
tests/integration/targets/postgresql_query/tasks/postgresql_query_initial.yml
View file

@ -3,22 +3,26 @@
become: true become: true
shell: psql postgres -U "{{ pg_user }}" -t -c "DROP TABLE IF EXISTS test_table;" shell: psql postgres -U "{{ pg_user }}" -t -c "DROP TABLE IF EXISTS test_table;"
ignore_errors: true ignore_errors: true
- name: postgresql_query - create test table called test_table - name: postgresql_query - create test table called test_table
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
shell: psql postgres -U "{{ pg_user }}" -t -c "CREATE TABLE test_table (id int, story text);" shell: psql postgres -U "{{ pg_user }}" -t -c "CREATE TABLE test_table (id int, story text);"
ignore_errors: true ignore_errors: true
- name: postgresql_query - insert some data into test_table - name: postgresql_query - insert some data into test_table
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
shell: psql postgres -U "{{ pg_user }}" -t -c "INSERT INTO test_table (id, story) VALUES (1, 'first'), (2, 'second'), (3, 'third');" shell: psql postgres -U "{{ pg_user }}" -t -c "INSERT INTO test_table (id, story) VALUES (1, 'first'), (2, 'second'), (3, 'third');"
ignore_errors: true ignore_errors: true
- name: postgresql_query - remove SQL script if exists - name: postgresql_query - remove SQL script if exists
become: true become: true
file: file:
path: ~{{ pg_user}}/test.sql path: ~{{ pg_user}}/test.sql
state: absent state: absent
ignore_errors: true ignore_errors: true
- name: postgresql_query - create an empty file to check permission - name: postgresql_query - create an empty file to check permission
become: true become: true
file: file:
@ -29,6 +33,7 @@
mode: '0644' mode: '0644'
register: sql_file_created register: sql_file_created
ignore_errors: true ignore_errors: true
- name: postgresql_query - prepare SQL script - name: postgresql_query - prepare SQL script
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -48,6 +53,7 @@
query: ANALYZE test_table query: ANALYZE test_table
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - assert:
that: that:
- result is changed - result is changed
@ -55,6 +61,7 @@
- result.rowcount == 0 - result.rowcount == 0
- result.statusmessage == 'ANALYZE' - result.statusmessage == 'ANALYZE'
- result.query_result == {} - result.query_result == {}
- name: postgresql_query - run queries from SQL script - name: postgresql_query - run queries from SQL script
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -68,6 +75,7 @@
register: result register: result
ignore_errors: true ignore_errors: true
when: sql_file_created when: sql_file_created
- assert: - assert:
that: that:
- result is not changed - result is not changed
@ -76,6 +84,7 @@
- result.statusmessage == 'SELECT 1' or result.statusmessage == 'SELECT' - result.statusmessage == 'SELECT 1' or result.statusmessage == 'SELECT'
- result.query_result[0].story == 'first' - result.query_result[0].story == 'first'
when: sql_file_created when: sql_file_created
- name: postgresql_query - simple select query to test_table - name: postgresql_query - simple select query to test_table
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -85,6 +94,7 @@
query: SELECT * FROM test_table query: SELECT * FROM test_table
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - assert:
that: that:
- result is not changed - result is not changed
@ -97,6 +107,7 @@
- result.query_result[0].story == 'first' - result.query_result[0].story == 'first'
- result.query_result[1].story == 'second' - result.query_result[1].story == 'second'
- result.query_result[2].story == 'third' - result.query_result[2].story == 'third'
- name: postgresql_query - select query with named args - name: postgresql_query - select query with named args
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -109,6 +120,7 @@
story_val: first story_val: first
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - assert:
that: that:
- result is not changed - result is not changed
@ -116,6 +128,7 @@
- result.rowcount == 1 - result.rowcount == 1
- result.statusmessage == 'SELECT 1' or result.statusmessage == 'SELECT' - result.statusmessage == 'SELECT 1' or result.statusmessage == 'SELECT'
- result.query_result[0].id == 1 - result.query_result[0].id == 1
- name: postgresql_query - select query with positional arguments - name: postgresql_query - select query with positional arguments
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -128,6 +141,7 @@
- second - second
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - assert:
that: that:
- result is not changed - result is not changed
@ -135,6 +149,7 @@
- result.rowcount == 1 - result.rowcount == 1
- result.statusmessage == 'SELECT 1' or result.statusmessage == 'SELECT' - result.statusmessage == 'SELECT 1' or result.statusmessage == 'SELECT'
- result.query_result[0].story == 'second' - result.query_result[0].story == 'second'
- name: postgresql_query - simple update query - name: postgresql_query - simple update query
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -144,6 +159,7 @@
query: UPDATE test_table SET story = 'new' WHERE id = 3 query: UPDATE test_table SET story = 'new' WHERE id = 3
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - assert:
that: that:
- result is changed - result is changed
@ -151,6 +167,7 @@
- result.rowcount == 1 - result.rowcount == 1
- result.statusmessage == 'UPDATE 1' - result.statusmessage == 'UPDATE 1'
- result.query_result == {} - result.query_result == {}
- name: check the previous update - name: check the previous update
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -159,9 +176,11 @@
db: postgres db: postgres
query: SELECT * FROM test_table WHERE story = 'new' AND id = 3 query: SELECT * FROM test_table WHERE story = 'new' AND id = 3
register: result register: result
- assert: - assert:
that: that:
- result.rowcount == 1 - result.rowcount == 1
- name: postgresql_query - simple update query in check_mode - name: postgresql_query - simple update query in check_mode
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -171,6 +190,7 @@
query: UPDATE test_table SET story = 'CHECK_MODE' WHERE id = 3 query: UPDATE test_table SET story = 'CHECK_MODE' WHERE id = 3
register: result register: result
check_mode: true check_mode: true
- assert: - assert:
that: that:
- result is changed - result is changed
@ -178,6 +198,7 @@
- result.rowcount == 1 - result.rowcount == 1
- result.statusmessage == 'UPDATE 1' - result.statusmessage == 'UPDATE 1'
- result.query_result == {} - result.query_result == {}
- name: check the previous update that nothing has been changed - name: check the previous update that nothing has been changed
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -186,9 +207,11 @@
db: postgres db: postgres
query: SELECT * FROM test_table WHERE story = 'CHECK_MODE' AND id = 3 query: SELECT * FROM test_table WHERE story = 'CHECK_MODE' AND id = 3
register: result register: result
- assert: - assert:
that: that:
- result.rowcount == 0 - result.rowcount == 0
- name: postgresql_query - try to update not existing row - name: postgresql_query - try to update not existing row
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -198,6 +221,7 @@
query: UPDATE test_table SET story = 'new' WHERE id = 100 query: UPDATE test_table SET story = 'new' WHERE id = 100
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - assert:
that: that:
- result is not changed - result is not changed
@ -205,6 +229,7 @@
- result.rowcount == 0 - result.rowcount == 0
- result.statusmessage == 'UPDATE 0' - result.statusmessage == 'UPDATE 0'
- result.query_result == {} - result.query_result == {}
- name: postgresql_query - insert query - name: postgresql_query - insert query
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -217,6 +242,7 @@
- fourth - fourth
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - assert:
that: that:
- result is changed - result is changed
@ -224,6 +250,7 @@
- result.rowcount == 1 - result.rowcount == 1
- result.statusmessage == 'INSERT 0 1' - result.statusmessage == 'INSERT 0 1'
- result.query_result == {} - result.query_result == {}
- name: postgresql_query - truncate test_table - name: postgresql_query - truncate test_table
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -233,6 +260,7 @@
query: TRUNCATE test_table query: TRUNCATE test_table
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - assert:
that: that:
- result is changed - result is changed
@ -240,6 +268,7 @@
- result.rowcount == 0 - result.rowcount == 0
- result.statusmessage == 'TRUNCATE TABLE' - result.statusmessage == 'TRUNCATE TABLE'
- result.query_result == {} - result.query_result == {}
- name: postgresql_query - alter test_table - name: postgresql_query - alter test_table
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -249,12 +278,14 @@
query: ALTER TABLE test_table ADD COLUMN foo int query: ALTER TABLE test_table ADD COLUMN foo int
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - assert:
that: that:
- result is changed - result is changed
- result.query == "ALTER TABLE test_table ADD COLUMN foo int" - result.query == "ALTER TABLE test_table ADD COLUMN foo int"
- result.rowcount == 0 - result.rowcount == 0
- result.statusmessage == 'ALTER TABLE' - result.statusmessage == 'ALTER TABLE'
- name: postgresql_query - vacuum without autocommit must fail - name: postgresql_query - vacuum without autocommit must fail
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -264,9 +295,11 @@
query: VACUUM query: VACUUM
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - assert:
that: that:
- result.failed == true - result.failed == true
- name: postgresql_query - autocommit in check_mode must fail - name: postgresql_query - autocommit in check_mode must fail
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -278,10 +311,12 @@
check_mode: true check_mode: true
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - assert:
that: that:
- result.failed == true - result.failed == true
- result.msg == "Using autocommit is mutually exclusive with check_mode" - result.msg == "Using autocommit is mutually exclusive with check_mode"
- name: postgresql_query - vacuum with autocommit - name: postgresql_query - vacuum with autocommit
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -291,6 +326,7 @@
query: VACUUM query: VACUUM
autocommit: true autocommit: true
register: result register: result
- assert: - assert:
that: that:
- result is changed - result is changed
@ -298,6 +334,7 @@
- result.rowcount == 0 - result.rowcount == 0
- result.statusmessage == 'VACUUM' - result.statusmessage == 'VACUUM'
- result.query_result == {} - result.query_result == {}
- name: postgresql_query - create test table for issue 59955 - name: postgresql_query - create test table for issue 59955
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -308,6 +345,7 @@
columns: columns:
- arr_col int[] - arr_col int[]
when: postgres_version_resp.stdout is version('9.4', '>=') when: postgres_version_resp.stdout is version('9.4', '>=')
- set_fact: - set_fact:
my_list: my_list:
- 1 - 1
@ -315,6 +353,7 @@
- 3 - 3
my_arr: '{1, 2, 3}' my_arr: '{1, 2, 3}'
when: postgres_version_resp.stdout is version('9.4', '>=') when: postgres_version_resp.stdout is version('9.4', '>=')
- name: postgresql_query - insert array into test table by positional args - name: postgresql_query - insert array into test table by positional args
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -326,11 +365,13 @@
- '{{ my_list }}' - '{{ my_list }}'
register: result register: result
when: postgres_version_resp.stdout is version('9.4', '>=') when: postgres_version_resp.stdout is version('9.4', '>=')
- assert: - assert:
that: that:
- result is changed - result is changed
- result.query == "INSERT INTO test_array_table (arr_col) VALUES ('{1, 2, 3}')" - result.query == "INSERT INTO test_array_table (arr_col) VALUES ('{1, 2, 3}')"
when: postgres_version_resp.stdout is version('9.4', '>=') when: postgres_version_resp.stdout is version('9.4', '>=')
- name: postgresql_query - select array from test table by passing positional_args - name: postgresql_query - select array from test table by passing positional_args
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -342,12 +383,14 @@
- '{{ my_list }}' - '{{ my_list }}'
register: result register: result
when: postgres_version_resp.stdout is version('9.4', '>=') when: postgres_version_resp.stdout is version('9.4', '>=')
- assert: - assert:
that: that:
- result is not changed - result is not changed
- result.query == "SELECT * FROM test_array_table WHERE arr_col = '{1, 2, 3}'" - result.query == "SELECT * FROM test_array_table WHERE arr_col = '{1, 2, 3}'"
- result.rowcount == 1 - result.rowcount == 1
when: postgres_version_resp.stdout is version('9.4', '>=') when: postgres_version_resp.stdout is version('9.4', '>=')
- name: postgresql_query - select array from test table by passing named_args - name: postgresql_query - select array from test table by passing named_args
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -360,12 +403,14 @@
- '{{ my_list }}' - '{{ my_list }}'
register: result register: result
when: postgres_version_resp.stdout is version('9.4', '>=') when: postgres_version_resp.stdout is version('9.4', '>=')
- assert: - assert:
that: that:
- result is not changed - result is not changed
- result.query == "SELECT * FROM test_array_table WHERE arr_col = '{1, 2, 3}'" - result.query == "SELECT * FROM test_array_table WHERE arr_col = '{1, 2, 3}'"
- result.rowcount == 1 - result.rowcount == 1
when: postgres_version_resp.stdout is version('9.4', '>=') when: postgres_version_resp.stdout is version('9.4', '>=')
- name: postgresql_query - select array from test table by passing positional_args as a string - name: postgresql_query - select array from test table by passing positional_args as a string
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -375,14 +420,34 @@
query: SELECT * FROM test_array_table WHERE arr_col = %s query: SELECT * FROM test_array_table WHERE arr_col = %s
positional_args: positional_args:
- '{{ my_arr|string }}' - '{{ my_arr|string }}'
trust_input: yes
register: result register: result
when: postgres_version_resp.stdout is version('9.4', '>=') when: postgres_version_resp.stdout is version('9.4', '>=')
- assert: - assert:
that: that:
- result is not changed - result is not changed
- result.query == "SELECT * FROM test_array_table WHERE arr_col = '{1, 2, 3}'" - result.query == "SELECT * FROM test_array_table WHERE arr_col = '{1, 2, 3}'"
- result.rowcount == 1 - result.rowcount == 1
when: postgres_version_resp.stdout is version('9.4', '>=') when: postgres_version_resp.stdout is version('9.4', '>=')
- name: postgresql_query - test trust_input parameter
become_user: '{{ pg_user }}'
become: true
postgresql_query:
login_user: '{{ pg_user }}'
login_db: postgres
session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
query: SELECT version()
trust_input: no
ignore_errors: yes
register: result
- assert:
that:
- result is failed
- result.msg is search('is potentially dangerous')
- name: postgresql_query - clean up - name: postgresql_query - clean up
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true