Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

postgresql_copy: add trust_input parameter #313

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
minor_changes:
- postgresql_copy - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/313).
28 changes: 26 additions & 2 deletions plugins/modules/database/postgresql/postgresql_copy.py
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,12 @@
- Permissions checking for SQL commands is carried out as though
the session_role were the one that had logged in originally.
type: str

trust_input:
description:
- If C(no), check whether values of parameters are potentially dangerous.
- It makes sense to use C(yes) only when SQL injections are possible.
type: bool
default: yes
notes:
- Supports PostgreSQL version 9.4+.
- COPY command is only allowed to database superusers.
Expand Down Expand Up @@ -182,7 +187,10 @@
pass

from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.database import pg_quote_identifier
from ansible_collections.community.general.plugins.module_utils.database import (
check_input,
pg_quote_identifier,
)
from ansible_collections.community.general.plugins.module_utils.postgres import (
connect_to_db,
exec_sql,
Expand Down Expand Up @@ -340,6 +348,7 @@ def main():
program=dict(type='bool', default=False),
db=dict(type='str', aliases=['login_db']),
session_role=dict(type='str'),
trust_input=dict(type='bool', default=True),
)
module = AnsibleModule(
argument_spec=argument_spec,
Expand All @@ -351,6 +360,21 @@ def main():
]
)

if not module.params['trust_input']:
# Check input for potentially dangerous elements:
opt_list = None
if module.params['options']:
opt_list = ['%s %s' % (key, val) for (key, val) in iteritems(module.params['options'])]

check_input(module,
module.params['copy_to'],
module.params['copy_from'],
module.params['src'],
module.params['dst'],
opt_list,
module.params['columns'],
module.params['session_role'])

# Note: we don't need to check mutually exclusive params here, because they are
# checked automatically by AnsibleModule (mutually_exclusive=[] list above).
if module.params.get('copy_from') and not module.params.get('dst'):
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@
<<: *pg_parameters
copy_to: '{{ data_file_txt }}'
src: '{{ test_table }}'
trust_input: no

- assert:
that:
Expand All @@ -76,6 +77,7 @@
<<: *pg_parameters
copy_from: '{{ data_file_txt }}'
dst: '{{ test_table }}'
trust_input: no

- assert:
that:
Expand All @@ -101,18 +103,35 @@
<<: *pg_parameters
copy_to: '{{ data_file_txt }}'
src: non_existent_table
trust_input: no

- assert:
that:
- result.failed == true
- result.queries is not defined

- name: postgresql_copy - check trust_input
<<: *task_parameters
postgresql_copy:
<<: *pg_parameters
copy_to: '{{ data_file_txt }}'
src: '{{ test_table }}'
session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
trust_input: no
ignore_errors: yes

- assert:
that:
- result is failed
- result.msg is search('is potentially dangerous')

- name: postgresql_copy - copy test table data to data_file_txt
<<: *task_parameters
postgresql_copy:
<<: *pg_parameters
copy_to: '{{ data_file_txt }}'
src: '{{ test_table }}'
trust_input: no

- assert:
that:
Expand Down Expand Up @@ -142,6 +161,7 @@
- name
options:
format: csv
trust_input: no

- assert:
that:
Expand Down Expand Up @@ -170,6 +190,7 @@
- name
options:
format: csv
trust_input: no

- assert:
that:
Expand Down Expand Up @@ -198,6 +219,7 @@
columns: id, name
options:
delimiter: '|'
trust_input: no
when: ansible_distribution != 'FreeBSD'

- assert:
Expand All @@ -218,6 +240,7 @@
columns: id, name
options:
delimiter: ','
trust_input: no

- assert:
that:
Expand Down