Skip to content

Commit e645359

Browse files
author
jmccormick2001
committed
fix add user injection and also add validation of dbname
1 parent 216a24a commit e645359

File tree

2 files changed

+44
-3
lines changed

2 files changed

+44
-3
lines changed

apiserver/upgradeservice/upgradeimpl.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,13 @@ func ShowUpgrade(name string) msgs.ShowUpgradeResponse {
5353
log.Debug("upgrades found len is %d\n", len(response.UpgradeList.Items))
5454
} else {
5555
upgrade := crv1.Pgupgrade{}
56-
_, err := kubeapi.Getpgupgrade(apiserver.RESTClient,
56+
found, err := kubeapi.Getpgupgrade(apiserver.RESTClient,
5757
&upgrade, name, apiserver.Namespace)
58+
if !found {
59+
response.Status.Code = msgs.Error
60+
response.Status.Msg = "upgrade not found"
61+
return response
62+
}
5863
if err != nil {
5964
response.Status.Code = msgs.Error
6065
response.Status.Msg = err.Error()

apiserver/userservice/userimpl.go

Lines changed: 38 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ limitations under the License.
1818
import (
1919
//libpq uses this blank import
2020
"database/sql"
21+
"errors"
2122
"fmt"
2223
log "github.com/Sirupsen/logrus"
2324
crv1 "github.com/crunchydata/postgres-operator/apis/cr/v1"
@@ -29,6 +30,7 @@ import (
2930
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3031
"k8s.io/client-go/kubernetes"
3132
"strconv"
33+
"strings"
3234
"time"
3335
)
3436

@@ -363,8 +365,42 @@ func addUser(request *msgs.CreateUserRequest, namespace, clusterName string, inf
363365
}
364366

365367
var rows *sql.Rows
368+
var querystr string
366369

367-
querystr := "create user " + request.Name
370+
if request.Name != "" {
371+
parts := strings.Split(request.Name, " ")
372+
if len(parts) > 1 {
373+
return errors.New("invalid user name format, can not container special characters")
374+
}
375+
}
376+
//validate userdb if entered
377+
if request.UserDBAccess != "" {
378+
parts := strings.Split(request.UserDBAccess, " ")
379+
if len(parts) > 1 {
380+
return errors.New("invalid db name format, can not container special characters")
381+
}
382+
querystr = "select count(datname) from pg_catalog.pg_database where datname = '" + request.UserDBAccess + "'"
383+
log.Debug(querystr)
384+
rows, err = conn.Query(querystr)
385+
if err != nil {
386+
log.Error(err.Error())
387+
return err
388+
}
389+
var returnedName int
390+
for rows.Next() {
391+
err = rows.Scan(&returnedName)
392+
if err != nil {
393+
log.Error(err)
394+
return err
395+
}
396+
log.Debug(" returned name %d", returnedName)
397+
if returnedName == 0 {
398+
return errors.New("dbname is not valid database name")
399+
}
400+
}
401+
}
402+
403+
querystr = "create user " + request.Name
368404
log.Debug(querystr)
369405
rows, err = conn.Query(querystr)
370406
if err != nil {
@@ -494,7 +530,7 @@ func CreateUser(request *msgs.CreateUserRequest) msgs.CreateUserResponse {
494530
return resp
495531
}
496532

497-
log.Debug("createUser clusters found len is %d\n", len(clusterList.Items))
533+
log.Debugf("createUser clusters found len is %d", len(clusterList.Items))
498534

499535
for _, c := range clusterList.Items {
500536
info := getPostgresUserInfo(apiserver.Namespace, c.Name)

0 commit comments

Comments
 (0)