Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix command shell escaping #1240

Merged
merged 6 commits into from
Feb 22, 2021
Merged

Fix command shell escaping #1240

merged 6 commits into from
Feb 22, 2021

Conversation

DavidS
Copy link
Contributor

@DavidS DavidS commented Feb 19, 2021

This changes a couple of places where the postgresql module was passing unsafe values through a shell to avoid the shell altogether.

Big thanks to @smortex for reporting the issue.

@DavidS DavidS added the bugfix label Feb 19, 2021
@DavidS DavidS requested a review from a team as a code owner February 19, 2021 12:03
@DavidS DavidS force-pushed the fix-command-escaping branch 2 times, most recently from 670d879 to a6bf068 Compare February 19, 2021 13:12
@codecov-io
Copy link

codecov-io commented Feb 19, 2021
edited
Loading

Codecov Report

Merging #1240 (c73a37b) into main (08e3a51) will increase coverage by 0.27%.
The diff coverage is 80.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1240      +/-   ##
==========================================
+ Coverage   65.81%   66.09%   +0.27%     
==========================================
  Files          14       14              
  Lines         351      348       -3     
==========================================
- Hits          231      230       -1     
+ Misses        120      118       -2
Impacted Files Coverage Δ
...ns/postgresql/postgresql_acls_to_resources_hash.rb 0.00% <0.00%> (ø)
...b/puppet/functions/postgresql/postgresql_escape.rb 0.00% <0.00%> (ø)
...puppet/functions/postgresql/postgresql_password.rb 0.00% <ø> (ø)
lib/puppet/functions/postgresql_escape.rb 0.00% <ø> (ø)
lib/puppet/functions/postgresql_password.rb 0.00% <ø> (ø)
lib/puppet/provider/postgresql_conf/parsed.rb 100.00% <ø> (ø)
.../puppet/provider/postgresql_conn_validator/ruby.rb 80.00% <ø> (ø)
lib/puppet/type/postgresql_conf.rb 93.33% <ø> (ø)
lib/puppet/type/postgresql_conn_validator.rb 100.00% <ø> (ø)
lib/puppet/type/postgresql_replication_slot.rb 100.00% <ø> (ø)
... and 4 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 25b816e...c73a37b. Read the comment docs.

@DavidS DavidS force-pushed the fix-command-escaping branch from f2bc68b to 7717c46 Compare February 19, 2021 16:01
@sheenaajay sheenaajay force-pushed the fix-command-escaping branch 2 times, most recently from f4453ca to 7717c46 Compare February 19, 2021 16:41
@DavidS DavidS force-pushed the fix-command-escaping branch from 7717c46 to c73a37b Compare February 19, 2021 16:50
@DavidS DavidS force-pushed the fix-command-escaping branch from 1b5e162 to 08a1752 Compare February 19, 2021 17:11
@DavidS
Copy link
Contributor Author

DavidS commented Feb 19, 2021

The rhel-7, puppet7-nightly failure is IAC-1420, so we can ignore that and get this merged and released on Monday.

ekohl
ekohl approved these changes Feb 22, 2021
View reviewed changes
Copy link
Collaborator

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love it when you have more functionality with less code. I also hate it when code tries to join commands when you can actually pass an array of arguments. Big 👍 for this direction.

@sheenaajay sheenaajay merged commit 1044a32 into puppetlabs:main Feb 22, 2021
@DavidS DavidS deleted the fix-command-escaping branch February 22, 2021 11:05
@ekohl
Copy link
Collaborator

ekohl commented Feb 23, 2021

Not sure if this introduced it, but in another module I started to see:

  Warning: /Postgresql_psql[ALTER ROLE jiraadm ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.

@vchepkov
Copy link

Warning: /Postgresql_psql[ALTER ROLE puppetdb ENCRYPTED PASSWORD ****]: Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.

@vchepkov
Copy link

@DavidS , I think unless can't be Sensitive, same as only_if, btw
https://github.com/puppetlabs/puppetlabs-postgresql/blob/main/manifests/server/role.pp#L136

@smortex
Copy link
Collaborator

smortex commented Feb 26, 2021

@ekohl @vchepkov I just opened #1249 to track this issue.

@smortex smortex mentioned this pull request Feb 26, 2021
Closed
@ekohl
Copy link
Collaborator

ekohl commented Mar 6, 2021

#1253 is another regression I found with this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sheenaajay sheenaajay sheenaajay approved these changes

@ekohl ekohl ekohl approved these changes

Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@DavidS @codecov-io @ekohl @vchepkov @smortex @sheenaajay @daianamezdrea