postgresql_query: add trust_input parameter (#294)

* postgresql_query: add trust_input parameter * add changelog fragment * fix CI
2025-04-22 18:31:25 -07:00 · 2020-05-07 12:49:53 +03:00 · 2020-05-07 12:49:53 +03:00 · c47a2128ca
commit c47a2128ca
parent e4dd15a746
3 changed files with 83 additions and 0 deletions
--- a/plugins/modules/database/postgresql/postgresql_query.py
+++ b/plugins/modules/database/postgresql/postgresql_query.py
@ -73,6 +73,12 @@ options:
    - Set the client encoding for the current session (e.g. C(UTF-8)).
    - The default is the encoding defined by the database.
    type: str
+  trust_input:
+    description:
+    - If C(no), check whether a value of I(session_role) is potentially dangerous.
+    - It does make sense to use C(yes) only when SQL injections via I(session_role) are possible.
+    type: bool
+    default: yes
 seealso:
 - module: postgresql_db
 author:
@ -186,6 +192,9 @@ except ImportError:
    pass

 from ansible.module_utils.basic import AnsibleModule
+from ansible_collections.community.general.plugins.module_utils.database import (
+    check_input,
+)
 from ansible_collections.community.general.plugins.module_utils.postgres import (
    connect_to_db,
    get_conn_params,
@ -248,6 +257,7 @@ def main():
        path_to_script=dict(type='path'),
        autocommit=dict(type='bool', default=False),
        encoding=dict(type='str'),
+        trust_input=dict(type='bool', default=True),
    )

    module = AnsibleModule(
@ -262,6 +272,12 @@ def main():
    path_to_script = module.params["path_to_script"]
    autocommit = module.params["autocommit"]
    encoding = module.params["encoding"]
+    session_role = module.params["session_role"]
+    trust_input = module.params["trust_input"]
+
+    if not trust_input:
+        # Check input for potentially dangerous elements:
+        check_input(module, session_role)

    if autocommit and module.check_mode:
        module.fail_json(msg="Using autocommit is mutually exclusive with check_mode")