Security improvements needed for db/init-multiple-databases.sh #470
Description
Context
This issue tracks security improvements for the database initialization script as discussed in PR #469.
Issues to Address
1. SQL Injection Risk
The database name $db is interpolated directly into the SQL query without proper escaping (line 24). While the source is an environment variable, this violates security best practices and could fail or behave unexpectedly if the database name contains special characters like single quotes.
Recommendation: Use psql's variable substitution mechanism (e.g., -v DB="$db" and refer to it as :'DB' in the SQL) or validate database names against a strict safe regex (e.g., allow only [A-Za-z0-9_]+) before using them.
2. Error Suppression Hiding Failures
The 2>/dev/null on line 24 silently discards stderr, which could hide real errors (e.g., postgres service unavailable, permission denied, psql not found). If the query fails for a reason other than "database doesn't exist," the error won't be visible, and the script will proceed to attempt creation anyway.
Recommendation: Capture stderr separately or log it for debugging, while keeping the ON_ERROR_STOP=0 logic for graceful handling of "database not found" scenarios.
References
- PR: refactor:control-panel #469
- Discussion: refactor:control-panel #469 (comment)
- Requested by: @sosweetham
Priority
Low - This is a convenience script not currently used in production.