Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

migrations: Escape more pedantically in pgroonga.0003_v2_api_upgrade. 

Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg 2020-06-13 19:05:38 -07:00 committed by Anders Kaseorg
parent 0cc897d08d
commit 674158b817
2 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
pgroonga/migrations/0003_v2_api_upgrade.py
View File

@ -11,24 +11,28 @@ class Migration(migrations.Migration):
database_setting = settings.DATABASES["default"] database_setting = settings.DATABASES["default"]
operations = [ operations = [
migrations.RunSQL([""" migrations.RunSQL([("""
ALTER ROLE %(USER)s SET search_path TO %(SCHEMA)s,public; DO $$BEGIN
EXECUTE format('ALTER ROLE %%I SET search_path TO %%L,public', %(USER)s, %(SCHEMA)s);
SET search_path = %(SCHEMA)s,public; SET search_path = %(SCHEMA)s,public;
DROP INDEX zerver_message_search_pgroonga; DROP INDEX zerver_message_search_pgroonga;
""" % database_setting, """ END$$
""", database_setting), """
CREATE INDEX CONCURRENTLY zerver_message_search_pgroonga ON zerver_message CREATE INDEX CONCURRENTLY zerver_message_search_pgroonga ON zerver_message
USING pgroonga(search_pgroonga pgroonga_text_full_text_search_ops_v2); USING pgroonga(search_pgroonga pgroonga_text_full_text_search_ops_v2);
"""], """],
[""" [("""
ALTER ROLE %(USER)s SET search_path TO %(SCHEMA)s,public,pgroonga,pg_catalog; DO $$BEGIN
EXECUTE format('ALTER ROLE %%I SET search_path TO %%L,public,pgroonga,pg_catalog', %(USER)s, %(SCHEMA)s);
SET search_path = %(SCHEMA)s,public,pgroonga,pg_catalog; SET search_path = %(SCHEMA)s,public,pgroonga,pg_catalog;
DROP INDEX zerver_message_search_pgroonga; DROP INDEX zerver_message_search_pgroonga;
""" % database_setting, """ END$$
""", database_setting), """
CREATE INDEX CONCURRENTLY zerver_message_search_pgroonga ON zerver_message CREATE INDEX CONCURRENTLY zerver_message_search_pgroonga ON zerver_message
USING pgroonga(search_pgroonga pgroonga.text_full_text_search_ops); USING pgroonga(search_pgroonga pgroonga.text_full_text_search_ops);

2
tools/semgrep.yml
View File

@ -74,6 +74,8 @@ rules:
- pattern: psycopg2.sql.SQL(... .format(...)) - pattern: psycopg2.sql.SQL(... .format(...))
- pattern: django.db.migrations.RunSQL(..., ... % ..., ...) - pattern: django.db.migrations.RunSQL(..., ... % ..., ...)
- pattern: django.db.migrations.RunSQL(..., "..." .format(...), ...) - pattern: django.db.migrations.RunSQL(..., "..." .format(...), ...)
- pattern: django.db.migrations.RunSQL(..., [..., ... % ..., ...], ...)
- pattern: django.db.migrations.RunSQL(..., [..., "..." .format(...), ...], ...)
severity: ERROR severity: ERROR
message: "Do not write a SQL injection vulnerability please" message: "Do not write a SQL injection vulnerability please"