postgresql_user: add trust_input parameter (#116)

* postgresql: add input checks for potentially dangerous substrings

* postgresql_user: add trust_input parameter

* add CI, add changelog fragment

* fix CI

* moved input patterns outside is_input_dangerous function

* Update plugins/module_utils/database.py

Co-Authored-By: Thomas O'Donnell <andytom@users.noreply.github.com>

* Update plugins/module_utils/database.py

Co-Authored-By: Thomas O'Donnell <andytom@users.noreply.github.com>

* fix

Co-authored-by: Thomas O'Donnell <andytom@users.noreply.github.com>

tests/integration/targets/postgresql_user/defaults/main.yml

@@ -1,3 +1,4 @@
 db_name: 'ansible_db'
 db_user1: 'ansible_db_user1'
 db_user2: 'ansible_db_user2'
+dangerous_name: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'

tests/integration/targets/postgresql_user/tasks/postgresql_user_general.yml

@@ -717,6 +717,32 @@
       that:
       - result.rowcount == 2
 
+  ########################
+  # Test trust_input param
+
+  - name: Create role with potentially dangerous name, don't trust
+    <<: *task_parameters
+    postgresql_user:
+      <<: *pg_parameters
+      name: '{{ dangerous_name }}'
+      trust_input: no
+    ignore_errors: yes
+
+  - assert:
+      that:
+      - result is failed
+      - result.msg == 'Passed input \'{{ dangerous_name }}\' is potentially dangerous'
+
+  - name: Create role with potentially dangerous name, trust
+    <<: *task_parameters
+    postgresql_user:
+      <<: *pg_parameters
+      name: '{{ dangerous_name }}'
+
+  - assert:
+      that:
+      - result is changed
+
   always:
   #
   # Clean up
@@ -739,3 +765,4 @@
     - '{{ test_user2 }}'
     - '{{ test_group1 }}'
     - '{{ test_group2 }}'
+    - '{{ dangerous_name }}'

tests/unit/plugins/module_utils/test_database.py

@@ -1,6 +1,7 @@
 import pytest
 
 from ansible_collections.community.general.plugins.module_utils.database import (
+    is_input_dangerous,
     pg_quote_identifier,
     SQLParseError,
 )
@@ -76,6 +77,36 @@ HOW_MANY_DOTS = (
 VALID_QUOTES = ((test, VALID[test]) for test in sorted(VALID))
 INVALID_QUOTES = ((test[0], test[1], INVALID[test]) for test in sorted(INVALID))
 
+IS_STRINGS_DANGEROUS = (
+    (u'', False),
+    (u' ', False),
+    (u'alternative database', False),
+    (u'backup of TRUNCATED table', False),
+    (u'bob.dropper', False),
+    (u'd\'artagnan', False),
+    (u'user_with_select_update_truncate_right', False),
+    (u';DROP DATABASE fluffy_pets_photos', True),
+    (u';drop DATABASE fluffy_pets_photos', True),
+    (u'; TRUNCATE TABLE his_valuable_table', True),
+    (u'; truncate TABLE his_valuable_table', True),
+    (u'\'--', True),
+    (u'"--', True),
+    (u'\' union select username, password from admin_credentials', True),
+    (u'\' UNION SELECT username, password from admin_credentials', True),
+    (u'\' intersect select', True),
+    (u'\' INTERSECT select', True),
+    (u'\' except select', True),
+    (u'\' EXCEPT select', True),
+    (u';ALTER TABLE prices', True),
+    (u';alter table prices', True),
+    (u"; UPDATE products SET price = '0'", True),
+    (u";update products SET price = '0'", True),
+    (u"; DELETE FROM products", True),
+    (u"; delete FROM products", True),
+    (u"; SELECT * FROM products", True),
+    (u" ; select * from products", True),
+)
+
 
 @pytest.mark.parametrize("identifier, quoted_identifier", VALID_QUOTES)
 def test_valid_quotes(identifier, quoted_identifier):
@@ -98,3 +129,8 @@ def test_how_many_dots(identifier, id_type, quoted_identifier, msg):
         pg_quote_identifier('%s.more' % identifier, id_type)
 
     ex.match(msg)
+
+
+@pytest.mark.parametrize("string, result", IS_STRINGS_DANGEROUS)
+def test_is_input_dangerous(string, result):
+    assert is_input_dangerous(string) == result