Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use raw string for PostgreSQL connection string #209

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Use raw string for PostgreSQL connection string #209

wants to merge 3 commits into from

Conversation

jsf9k
Copy link
Member

@jsf9k jsf9k commented Feb 28, 2025
edited
Loading

🗣 Description

This pull request modifies the Python code to use a raw string for the PostgreSQL connection string.

💭 Motivation and context

If the PostgreSQL password, for example, contains a literal backslash (\) character then we do not want it to be interpreted as the first character in a Python string escape sequence.

It is highly unlikely that anyone would choose a host name, database name, username, or password that genuinely contains special characters like \n, \t, etc.; therefore, it should be safe to treat all backslashes in the PostgreSQL connection string as literal backslashes.

🧪 Testing

All automated tests pass.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

✅ Pre-merge checklist

  • Finalize version.

✅ Post-merge checklist

  • Create a release.

jsf9k added 3 commits February 28, 2025 14:10
@jsf9k
Construct the Postgres connection string as a raw string
0efaf84 
The password, in particular, may contain backslash literals.  This
will ensure that such backslashes are not treated as the first
character in a Python escape sequence.
@jsf9k
Bump version from 2.0.0 to 2.0.1
f196970
@jsf9k
Bump version from 2.0.1 to 2.0.1-rc.1
519f564
@jsf9k jsf9k added bug This issue or pull request addresses broken functionality version bump This issue or pull request increments the version number python Pull requests that update Python code labels Feb 28, 2025
@jsf9k jsf9k self-assigned this Feb 28, 2025
@coveralls
Copy link

coveralls commented Feb 28, 2025
edited
Loading

Pull Request Test Coverage Report for Build 13640008976

Details

  • 2 of 2 (100.0%) changed or added relevant lines in 2 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 76.658%
Totals Coverage Status
Change from base Build 13591361643: 0.0%
Covered Lines: 226
Relevant Lines: 273
💛 - Coveralls

@jsf9k jsf9k marked this pull request as ready for review February 28, 2025 20:08
@jsf9k jsf9k requested a review from dv4harr10 February 28, 2025 20:08
@dv4harr10
Copy link
Contributor

Hi Shane @jsf9k , just one comment, in the src/guacscanner/guacscanner.py file the instances where cursor.execute(ENTITY_COUNT_QUERY, (entity_name, entity_type)) is used these are examples of string concatenation which is a possible vulnerability for SQL injection. What's your thoughts?

@jsf9k
Copy link
Member Author

jsf9k commented Feb 28, 2025

Hi Shane @jsf9k , just one comment, in the src/guacscanner/guacscanner.py file the instances where cursor.execute(ENTITY_COUNT_QUERY, (entity_name, entity_type)) is used these are examples of string concatenation which is a possible vulnerability for SQL injection. What's your thoughts?

In this project I think it's OK. The values being concatenated do not originate from users but from the AWS API, and the latter is a trusted source.

dav3r
dav3r approved these changes Mar 3, 2025
View reviewed changes
Copy link
Member

@dav3r dav3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, but we should still test that this actually works as intended.

@jsf9k
Copy link
Member Author

jsf9k commented Mar 3, 2025

Makes sense, but we should still test that this actually works as intended.

The only real way to test is to add a backslash to the PostgreSQL password in, say, our dev-a COOL environment. I will get @dav3r's assistance with that when we finish up the current cisagov/skeleton-packer Lineage wave.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dav3r dav3r dav3r approved these changes

@dv4harr10 dv4harr10 dv4harr10 approved these changes

@felddy felddy Awaiting requested review from felddy felddy is a code owner

@mcdonnnj mcdonnnj Awaiting requested review from mcdonnnj mcdonnnj is a code owner

Assignees

@jsf9k jsf9k

Labels
bug This issue or pull request addresses broken functionality python Pull requests that update Python code version bump This issue or pull request increments the version number
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jsf9k @coveralls @dv4harr10 @dav3r