Add trust_input to postgresql_user_obj_stat_info (#310)

Have added a trust_input option to the postgresql_user_obj_stat_info module. This only checks the session_role since all other options are passed as parameters.
2025-07-08 14:20:04 -07:00 · 2020-05-10 14:56:19 +02:00 · 2020-05-10 14:56:19 +02:00 · 571837b199
commit 571837b199
parent 159e2bb734
3 changed files with 33 additions and 0 deletions
--- a/tests/integration/targets/postgresql_user_obj_stat_info/tasks/postgresql_user_obj_stat_info.yml
+++ b/tests/integration/targets/postgresql_user_obj_stat_info/tasks/postgresql_user_obj_stat_info.yml
@ -1,3 +1,4 @@
+---
 # Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

@ -156,6 +157,20 @@
      - result is failed
      - result.msg == "Schema 'nonexistent' does not exist"

+  # 4. Test Trust Input
+  - name: Try running with SQL injection
+    <<: *task_parameters
+    postgresql_user_obj_stat_info:
+      <<: *pg_parameters
+      session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
+      trust_input: no
+    ignore_errors: yes
+
+  - assert:
+      that:
+        - result is failed
+        - result.msg is search('is potentially dangerous')
+    
  ##########
  # Clean up
  ##########