ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-24 19:31:26 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

postgresql_user: add trust_input parameter (#116)

Browse source 
* postgresql: add input checks for potentially dangerous substrings

* postgresql_user: add trust_input parameter

* add CI, add changelog fragment

* fix CI

* moved input patterns outside is_input_dangerous function

* Update plugins/module_utils/database.py

Co-Authored-By: Thomas O'Donnell <andytom@users.noreply.github.com>

* Update plugins/module_utils/database.py

Co-Authored-By: Thomas O'Donnell <andytom@users.noreply.github.com>

* fix

Co-authored-by: Thomas O'Donnell <andytom@users.noreply.github.com>
This commit is contained in:
Andrew Klychkov 2020-04-12 14:16:44 +03:00 committed by GitHub
parent dd1bb708d3
commit 6d7f66539c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 142 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

36
tests/unit/plugins/module_utils/test_database.py
View file

@ -1,6 +1,7 @@
import pytest
from ansible_collections.community.general.plugins.module_utils.database import (
is_input_dangerous,
pg_quote_identifier,
SQLParseError,
)
@ -76,6 +77,36 @@ HOW_MANY_DOTS = (
VALID_QUOTES = ((test, VALID[test]) for test in sorted(VALID))
INVALID_QUOTES = ((test[0], test[1], INVALID[test]) for test in sorted(INVALID))
IS_STRINGS_DANGEROUS = (
(u'', False),
(u' ', False),
(u'alternative database', False),
(u'backup of TRUNCATED table', False),
(u'bob.dropper', False),
(u'd\'artagnan', False),
(u'user_with_select_update_truncate_right', False),
(u';DROP DATABASE fluffy_pets_photos', True),
(u';drop DATABASE fluffy_pets_photos', True),
(u'; TRUNCATE TABLE his_valuable_table', True),
(u'; truncate TABLE his_valuable_table', True),
(u'\'--', True),
(u'"--', True),
(u'\' union select username, password from admin_credentials', True),
(u'\' UNION SELECT username, password from admin_credentials', True),
(u'\' intersect select', True),
(u'\' INTERSECT select', True),
(u'\' except select', True),
(u'\' EXCEPT select', True),
(u';ALTER TABLE prices', True),
(u';alter table prices', True),
(u"; UPDATE products SET price = '0'", True),
(u";update products SET price = '0'", True),
(u"; DELETE FROM products", True),
(u"; delete FROM products", True),
(u"; SELECT * FROM products", True),
(u" ; select * from products", True),
)
@pytest.mark.parametrize("identifier, quoted_identifier", VALID_QUOTES)
def test_valid_quotes(identifier, quoted_identifier):
@ -98,3 +129,8 @@ def test_how_many_dots(identifier, id_type, quoted_identifier, msg):
pg_quote_identifier('%s.more' % identifier, id_type)
ex.match(msg)
@pytest.mark.parametrize("string, result", IS_STRINGS_DANGEROUS)
def test_is_input_dangerous(string, result):
assert is_input_dangerous(string) == result