Add trust_input to postgresql_user_obj_stat_info

Have added a trust_input option to the postgresql_user_obj_stat_info module. This only checks the session_role since all other options are passed as parameters.
ansible-collections · May 10, 2020 · 07775b2 · 07775b2
1 parent 5cdb646
commit 07775b2
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/changelogs/fragments/310-postgresql_user_obj_stat_info_add_trust_input.yml b/changelogs/fragments/310-postgresql_user_obj_stat_info_add_trust_input.yml
@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - postgresql_user_obj_stat_info - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/310).
diff --git a/plugins/modules/database/postgresql/postgresql_user_obj_stat_info.py b/plugins/modules/database/postgresql/postgresql_user_obj_stat_info.py
@@ -45,6 +45,13 @@
     - Permissions checking for SQL commands is carried out as though
       the session_role were the one that had logged in originally.
     type: str
+  trust_input:
+    description:
+    - If C(no), check the value of I(session_role) is potentially dangerous.
+    - It only makes sense to use C(no) only when SQL injections via I(session_role) are possible.
+    type: bool
+    default: yes
+
 notes:
 - C(size) and C(total_size) returned values are presented in bytes.
 - For tracking function statistics the PostgreSQL C(track_functions) parameter must be enabled.
@@ -57,6 +64,7 @@
   link: https://www.postgresql.org/docs/current/monitoring-stats.html
 author:
 - Andrew Klychkov (@Andersson007)
+- Thomas O'Donnell (@andytom)
 extends_documentation_fragment:
 - community.general.postgres
 
@@ -104,6 +112,9 @@
     pass
 
 from ansible.module_utils.basic import AnsibleModule
+from ansible_collections.community.general.plugins.module_utils.database import (
+    check_input,
+)
 from ansible_collections.community.general.plugins.module_utils.postgres import (
     connect_to_db,
     exec_sql,
@@ -302,6 +313,7 @@ def main():
         filter=dict(type='list', elements='str'),
         session_role=dict(type='str'),
         schema=dict(type='str'),
+        trust_input=dict(type="bool", default=True),
     )
     module = AnsibleModule(
         argument_spec=argument_spec,
@@ -311,6 +323,9 @@ def main():
     filter_ = module.params["filter"]
     schema = module.params["schema"]
 
+    if not module.params["trust_input"]:
+        check_input(module, module.params['session_role'])
+
     # Connect to DB and make cursor object:
     pg_conn_params = get_conn_params(module, module.params)
     # We don't need to commit anything, so, set it to False:

diff --git a/...integration/targets/postgresql_user_obj_stat_info/tasks/postgresql_user_obj_stat_info.yml b/...integration/targets/postgresql_user_obj_stat_info/tasks/postgresql_user_obj_stat_info.yml
@@ -1,3 +1,4 @@
+---
 # Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 
@@ -156,6 +157,20 @@
       - result is failed
       - result.msg == "Schema 'nonexistent' does not exist"
 
+  # 4. Test Trust Input
+  - name: Try running with SQL injection
+    <<: *task_parameters
+    postgresql_user_obj_stat_info:
+      <<: *pg_parameters
+      session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
+      trust_input: no
+    ignore_errors: yes
+
+  - assert:
+      that:
+        - result is failed
+        - result.msg is search('is potentially dangerous')
+
   ##########
   # Clean up
   ##########