1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

postgresql_copy: add trust_input parameter (#313)

* postgresql_copy: add trust_input parameter

* add changelog fragment
This commit is contained in:
Andrew Klychkov 2020-05-12 09:33:42 +03:00 committed by GitHub
parent 51b8e79203
commit fce150fcf7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 51 additions and 2 deletions

View file

@ -0,0 +1,2 @@
minor_changes:
- postgresql_copy - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/313).

View file

@ -75,7 +75,12 @@ options:
- Permissions checking for SQL commands is carried out as though
the session_role were the one that had logged in originally.
type: str
trust_input:
description:
- If C(no), check whether values of parameters are potentially dangerous.
- It makes sense to use C(yes) only when SQL injections are possible.
type: bool
default: yes
notes:
- Supports PostgreSQL version 9.4+.
- COPY command is only allowed to database superusers.
@ -182,7 +187,10 @@ except ImportError:
pass
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.database import pg_quote_identifier
from ansible_collections.community.general.plugins.module_utils.database import (
check_input,
pg_quote_identifier,
)
from ansible_collections.community.general.plugins.module_utils.postgres import (
connect_to_db,
exec_sql,
@ -340,6 +348,7 @@ def main():
program=dict(type='bool', default=False),
db=dict(type='str', aliases=['login_db']),
session_role=dict(type='str'),
trust_input=dict(type='bool', default=True),
)
module = AnsibleModule(
argument_spec=argument_spec,
@ -351,6 +360,21 @@ def main():
]
)
if not module.params['trust_input']:
# Check input for potentially dangerous elements:
opt_list = None
if module.params['options']:
opt_list = ['%s %s' % (key, val) for (key, val) in iteritems(module.params['options'])]
check_input(module,
module.params['copy_to'],
module.params['copy_from'],
module.params['src'],
module.params['dst'],
opt_list,
module.params['columns'],
module.params['session_role'])
# Note: we don't need to check mutually exclusive params here, because they are
# checked automatically by AnsibleModule (mutually_exclusive=[] list above).
if module.params.get('copy_from') and not module.params.get('dst'):

View file

@ -52,6 +52,7 @@
<<: *pg_parameters
copy_to: '{{ data_file_txt }}'
src: '{{ test_table }}'
trust_input: no
- assert:
that:
@ -76,6 +77,7 @@
<<: *pg_parameters
copy_from: '{{ data_file_txt }}'
dst: '{{ test_table }}'
trust_input: no
- assert:
that:
@ -101,18 +103,35 @@
<<: *pg_parameters
copy_to: '{{ data_file_txt }}'
src: non_existent_table
trust_input: no
- assert:
that:
- result.failed == true
- result.queries is not defined
- name: postgresql_copy - check trust_input
<<: *task_parameters
postgresql_copy:
<<: *pg_parameters
copy_to: '{{ data_file_txt }}'
src: '{{ test_table }}'
session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
trust_input: no
ignore_errors: yes
- assert:
that:
- result is failed
- result.msg is search('is potentially dangerous')
- name: postgresql_copy - copy test table data to data_file_txt
<<: *task_parameters
postgresql_copy:
<<: *pg_parameters
copy_to: '{{ data_file_txt }}'
src: '{{ test_table }}'
trust_input: no
- assert:
that:
@ -142,6 +161,7 @@
- name
options:
format: csv
trust_input: no
- assert:
that:
@ -170,6 +190,7 @@
- name
options:
format: csv
trust_input: no
- assert:
that:
@ -198,6 +219,7 @@
columns: id, name
options:
delimiter: '|'
trust_input: no
when: ansible_distribution != 'FreeBSD'
- assert:
@ -218,6 +240,7 @@
columns: id, name
options:
delimiter: ','
trust_input: no
- assert:
that: