Skip to content

Commit

Permalink
Fix quotes to avoid shell injection
Browse files Browse the repository at this point in the history
  • Loading branch information
@daianamezdrea @DavidS
daianamezdrea authored and DavidS committed Feb 19, 2021
1 parent 34f566f commit 841187b
Showing 1 changed file with 1 addition and 2 deletions.
3 changes: 1 addition & 2 deletions lib/puppet/provider/postgresql_psql/ruby.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ def run_sql_command(sql)
command = [resource[:psql_path]]
command.push('-d', resource[:db]) if resource[:db]
command.push('-p', resource[:port]) if resource[:port]
command.push('-t', '-X', '-c', '"' + sql.gsub('"', '\"') + '"')
command.push('-t', '-X', '-c', sql)

environment = fetch_environment

Expand Down Expand Up @@ -57,7 +57,6 @@ def fetch_environment
end

def run_command(command, user, group, environment)
command = command.join ' '
output = Puppet::Util::Execution.execute(command, uid: user,
gid: group,
failonfail: false,
Expand Down

0 comments on commit 841187b

Please sign in to comment.