From 0cc897d08d15fe2338db8ad3474de7ee52d4feb1 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Sat, 13 Jun 2020 18:48:07 -0700 Subject: [PATCH] migrations: Escape more pedantically in pgroonga.0001_enable. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The psycopg2.SQL API unfortunately doesn’t work with django.db.migrations.RunSQL, so we need to take a detour into PL/pgSQL for EXECUTE and format. Signed-off-by: Anders Kaseorg --- pgroonga/migrations/0001_enable.py | 16 ++++++++++------ tools/semgrep.yml | 2 ++ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/pgroonga/migrations/0001_enable.py b/pgroonga/migrations/0001_enable.py index 9c0797e1ef..2e5f645a93 100644 --- a/pgroonga/migrations/0001_enable.py +++ b/pgroonga/migrations/0001_enable.py @@ -11,8 +11,9 @@ class Migration(migrations.Migration): database_setting = settings.DATABASES["default"] if "postgres" in database_setting["ENGINE"]: operations = [ - migrations.RunSQL(""" -ALTER ROLE %(USER)s SET search_path TO %(SCHEMA)s,public,pgroonga,pg_catalog; + migrations.RunSQL([(""" +DO $$BEGIN +EXECUTE format('ALTER ROLE %%I SET search_path TO %%L,public,pgroonga,pg_catalog', %(USER)s, %(SCHEMA)s); SET search_path = %(SCHEMA)s,public,pgroonga,pg_catalog; @@ -23,8 +24,10 @@ ALTER TABLE zerver_message ADD COLUMN search_pgroonga text; -- Django 1.10 may solve the problem. CREATE INDEX zerver_message_search_pgroonga ON zerver_message USING pgroonga(search_pgroonga pgroonga.text_full_text_search_ops); -""" % database_setting, - """ +END$$ +""", database_setting)], + [(""" +DO $$BEGIN SET search_path = %(SCHEMA)s,public,pgroonga,pg_catalog; DROP INDEX zerver_message_search_pgroonga; @@ -32,8 +35,9 @@ ALTER TABLE zerver_message DROP COLUMN search_pgroonga; SET search_path = %(SCHEMA)s,public; -ALTER ROLE %(USER)s SET search_path TO %(SCHEMA)s,public; -""" % database_setting), +EXECUTE format('ALTER ROLE %%I SET search_path TO %%L,public', %(USER)s, %(SCHEMA)s); +END$$ +""", database_setting)]), ] else: operations = [] diff --git a/tools/semgrep.yml b/tools/semgrep.yml index 77123f831c..94982715ed 100644 --- a/tools/semgrep.yml +++ b/tools/semgrep.yml @@ -72,6 +72,8 @@ rules: - pattern: ... .execute("...".format(...)) - pattern: psycopg2.sql.SQL(... % ...) - pattern: psycopg2.sql.SQL(... .format(...)) + - pattern: django.db.migrations.RunSQL(..., ... % ..., ...) + - pattern: django.db.migrations.RunSQL(..., "..." .format(...), ...) severity: ERROR message: "Do not write a SQL injection vulnerability please"