ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-19 08:51:25 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

postgresql_user: add trust_input parameter (#116)

Browse source 
* postgresql: add input checks for potentially dangerous substrings

* postgresql_user: add trust_input parameter

* add CI, add changelog fragment

* fix CI

* moved input patterns outside is_input_dangerous function

* Update plugins/module_utils/database.py

Co-Authored-By: Thomas O'Donnell <andytom@users.noreply.github.com>

* Update plugins/module_utils/database.py

Co-Authored-By: Thomas O'Donnell <andytom@users.noreply.github.com>

* fix

Co-authored-by: Thomas O'Donnell <andytom@users.noreply.github.com>
This commit is contained in:
Andrew Klychkov 2020-04-12 14:16:44 +03:00 committed by GitHub
parent dd1bb708d3
commit 6d7f66539c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 142 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

18
plugins/modules/database/postgresql/postgresql_user.py
View file

@ -147,6 +147,11 @@ options:
description:
- Add a comment on the user (equal to the COMMENT ON ROLE statement result).
type: str
trust_input:
description:
- If C(no), check whether values of some parameters are potentially dangerous.
type: bool
default: yes
notes:
- The module creates a user (role) with login privilege by default.
Use NOLOGIN role_attr_flags to change this behaviour.
@ -252,7 +257,11 @@ except ImportError:
pass
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.database import pg_quote_identifier, SQLParseError
from ansible_collections.community.general.plugins.module_utils.database import (
pg_quote_identifier,
SQLParseError,
check_input,
)
from ansible_collections.community.general.plugins.module_utils.postgres import (
connect_to_db,
get_conn_params,
@ -812,6 +821,7 @@ def main():
session_role=dict(type='str'),
groups=dict(type='list', elements='str'),
comment=dict(type='str', default=None),
trust_input=dict(type='bool', default=True),
)
module = AnsibleModule(
argument_spec=argument_spec,
@ -838,6 +848,12 @@ def main():
groups = [e.strip() for e in groups]
comment = module.params["comment"]
trust_input = module.params['trust_input']
if not trust_input:
# Check input for potentially dangerous elements:
check_input(module, user, password, privs, expires,
role_attr_flags, groups, comment)
conn_params = get_conn_params(module, module.params, warn_db_default=False)
db_connection = connect_to_db(module, conn_params)
cursor = db_connection.cursor(cursor_factory=DictCursor)