inspec · chris-rock · Jul 3, 2017 · Jun 18, 2017 · Jun 24, 2017 · Jun 26, 2017
diff --git a/lib/resources/postgres_session.rb b/lib/resources/postgres_session.rb
@@ -4,6 +4,8 @@
 # author: Christoph Hartmann
 # author: Aaron Lippold
 
+require 'shellwords'
+
 module Inspec::Resources
   class Lines
     attr_reader :output
@@ -35,7 +37,7 @@ class PostgresSession < Inspec.resource(1)
       # db: databse == db_user running the sql query
 
       describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
-        its('output') { should eq('') }
+        its('output') { should eq '' }
       end
     "
 
@@ -46,21 +48,25 @@ def initialize(user, pass, host = nil)
     end
 
     def query(query, db = [])
-      dbs = db.map { |x| "-d #{x}" }.join(' ')
-      # TODO: simple escape, must be handled by a library
-      # that does this securely
-      escaped_query = query.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
-      # run the query
-      cmd = inspec.command("PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c \"#{escaped_query}\"")
+      psql_cmd = create_psql_cmd(query, db)
+      cmd = inspec.command(psql_cmd)
       out = cmd.stdout + "\n" + cmd.stderr
-      if cmd.exit_status != 0 or
-         out =~ /could not connect to .*/ or
-         out.downcase =~ /^error/
-        # skip this test if the server can't run the query
+      if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
         skip_resource "Can't read run query #{query.inspect} on postgres_session: #{out}"
       else
         Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
       end
     end
+
+    private
+
+    def escaped_query(query)
+      Shellwords.escape(query)
+    end
+
+    def create_psql_cmd(query, db = [])
+      dbs = db.map { |x| "-d #{x}" }.join(' ')
+      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c #{escaped_query(query)}"
+    end
   end
 end
diff --git a/test/unit/resources/postgres_session_test.rb b/test/unit/resources/postgres_session_test.rb
@@ -0,0 +1,15 @@
+# encoding: utf-8
+# author: Aaron Lippold
+
+require 'helper'
+
+describe 'Inspec::Resources::PostgresSession' do
+  it 'verify postgres_session create_psql_cmd with a basic query' do
+    resource = load_resource('postgres_session','myuser','mypass','127.0.0.1')
+    _(resource.send(:create_psql_cmd,"SELECT * FROM STUDENTS;",['testdb']).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h 127.0.0.1 -A -t -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;")
+  end
+  it 'verify postgres_session escaped_query with a complex query' do
+    resource = load_resource('postgres_session','myuser','mypass','127.0.0.1')
+    _(resource.send(:create_psql_cmd,"SELECT current_setting('client_min_messages')",['testdb']).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h 127.0.0.1 -A -t -c SELECT\\ current_setting\\(\\'client_min_messages\\'\\)")
+  end
+end