(maint) Codebase Hardening

Changes made to ensure that no malformed commands are passed through to the system.
Certain commands were left undivided as the commands did not get correctly interpreted and so a shell_escape was used instead.

Author: david22swan

manifests/server/config.pp

@@ -142,8 +142,11 @@
 
     ensure_packages([$package_name])
 
+    $exec_command = ['/usr/sbin/semanage', 'port', '-a', '-t', 'postgresql_port_t', '-p', 'tcp', $port]
+    $exec_unless = "/usr/sbin/semanage port -l | grep -qw ${port}"
     exec { "/usr/sbin/semanage port -a -t postgresql_port_t -p tcp ${port}":
-      unless  => "/usr/sbin/semanage port -l | grep -qw ${port}",
+      command => $exec_command,
+      unless  => $exec_unless,
       before  => Postgresql::Server::Config_entry['port'],
       require => Package[$package_name],
     }
@@ -218,8 +221,9 @@
     #
     # This can be removed when Puppet < 6.1 support is dropped *and* the file
     # old-systemd-override is removed.
+    $systemd_command = ['systemctl', 'daemon-reload']
     exec { 'restart-systemd':
-      command     => 'systemctl daemon-reload',
+      command     => $systemd_command,
       refreshonly => true,
       path        => '/bin:/usr/bin:/usr/local/bin',
       before      => Class['postgresql::server::service'],

manifests/server/config_entry.pp

@@ -98,10 +98,13 @@
   # is managed for us in postgresql::server::config.
   if $facts['os']['name'] == 'Debian' or $facts['os']['name'] == 'Ubuntu' {
     if $name == 'data_directory' {
+      $stop_command = ['service', $postgresql::server::service_name, 'stop']
+      $stop_onlyif = ['service', $postgresql::server::service_name, 'status']
+      $stop_unless = [['grep', "data_directory = '${value}'", $postgresql::server::postgresql_conf_path]]
       exec { "postgresql_stop_${name}":
-        command => "service ${postgresql::server::service_name} stop",
-        onlyif  => "service ${postgresql::server::service_name} status",
-        unless  => "grep \"data_directory = '${value}'\" ${postgresql::server::postgresql_conf_path}",
+        command => $stop_command,
+        onlyif  => $stop_onlyif,
+        unless  => $stop_unless,
         path    => '/usr/sbin:/sbin:/bin:/usr/bin:/usr/local/bin',
         before  => Postgresql_conf[$name],
       }
@@ -111,10 +114,13 @@
       # We need to force postgresql to stop before updating the port
       # because puppet becomes confused and is unable to manage the
       # service appropriately.
+      $stop_command = ['service', $postgresql::server::service_name, 'stop']
+      $stop_onlyif = ['service', $postgresql::server::service_name, 'status']
+      $stop_unless = "grep 'PGPORT=${shell_escape($value)}' /etc/sysconfig/pgsql/postgresql"
       exec { "postgresql_stop_${name}":
-        command => "service ${postgresql::server::service_name} stop",
-        onlyif  => "service ${postgresql::server::service_name} status",
-        unless  => "grep 'PGPORT=${value}' /etc/sysconfig/pgsql/postgresql",
+        command => $stop_command,
+        onlyif  => $stop_onlyif,
+        unless  => $stop_unless,
         path    => '/sbin:/bin:/usr/bin:/usr/local/bin',
         require => File['/etc/sysconfig/pgsql/postgresql'],
       }
@@ -130,10 +136,13 @@
     } elsif $name == 'data_directory' {
       # We need to force postgresql to stop before updating the data directory
       # otherwise init script breaks
+      $stop_command = ['service', $postgresql::server::service_name, 'stop']
+      $stop_onlyif = ['service', $postgresql::server::service_name, 'status']
+      $stop_unless = [['grep', "PGDATA=${value}", '/etc/sysconfig/pgsql/postgresql']]
       exec { "postgresql_${name}":
-        command => "service ${postgresql::server::service_name} stop",
-        onlyif  => "service ${postgresql::server::service_name} status",
-        unless  => "grep 'PGDATA=${value}' /etc/sysconfig/pgsql/postgresql",
+        command => $stop_command,
+        onlyif  => $stop_onlyif,
+        unless  => $stop_unless,
         path    => '/sbin:/bin:/usr/bin:/usr/local/bin',
         require => File['/etc/sysconfig/pgsql/postgresql'],
       }

manifests/server/passwd.pp

@@ -16,7 +16,7 @@
   # psql will default to connecting as $user if you don't specify name
   $_datbase_user_same = $database == $user
   $_dboption = $_datbase_user_same ? {
-    false => " --dbname ${database}",
+    false => " --dbname ${shell_escape($database)}",
     default => ''
   }
 
@@ -26,10 +26,11 @@
     #  without specifying a password ('ident' or 'trust' security). This is
     #  the default for pg_hba.conf.
     $escaped = postgresql::postgresql_escape($postgres_password)
+    $exec_command = "${shell_escape($psql_path)}${_dboption} -c \"ALTER ROLE \\\"${shell_escape($user)}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\""
     exec { 'set_postgres_postgrespw':
       # This command works w/no password because we run it as postgres system
       # user
-      command     => "${psql_path}${_dboption} -c \"ALTER ROLE \\\"${user}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\"",
+      command     => $exec_command,
       user        => $user,
       group       => $group,
       logoutput   => true,

manifests/validate_db_connection.pp

@@ -44,29 +44,29 @@
   $module_workdir = $postgresql::params::module_workdir
   $validcon_script_path = $postgresql::client::validcon_script_path
 
-  $cmd_init = "${psql_path} --tuples-only --quiet "
+  $cmd_init = "${psql_path} --tuples-only --quiet"
   $cmd_host = $database_host ? {
     undef   => '',
-    default => "-h ${database_host} ",
+    default => "-h ${database_host}",
   }
   $cmd_user = $database_username ? {
     undef   => '',
-    default => "-U ${database_username} ",
+    default => "-U ${database_username}",
   }
   $cmd_port = $database_port ? {
     undef   => '',
-    default => "-p ${database_port} ",
+    default => "-p ${database_port}",
   }
   $cmd_dbname = $database_name ? {
-    undef   => "--dbname ${postgresql::params::default_database} ",
-    default => "--dbname ${database_name} ",
+    undef   => "--dbname ${postgresql::params::default_database}",
+    default => "--dbname ${database_name}",
   }
   $pass_env = $database_password_unsensitive ? {
     undef   => undef,
     default => "PGPASSWORD=${database_password_unsensitive}",
   }
   $cmd = join([$cmd_init, $cmd_host, $cmd_user, $cmd_port, $cmd_dbname], ' ')
-  $validate_cmd = "${validcon_script_path} ${sleep} ${tries} '${cmd}'"
+  $validate_cmd = [$validcon_script_path, $sleep, $tries, $cmd]
 
   # This is more of a safety valve, we add a little extra to compensate for the
   # time it takes to run each psql command.
@@ -86,9 +86,10 @@
   }
 
   $exec_name = "validate postgres connection for ${database_username}@${database_host}:${database_port}/${database_name}"
+  $exec_command = "echo 'Unable to connect to defined database using: ${shell_escape($cmd)}' && false"
 
   exec { $exec_name:
-    command     => "echo 'Unable to connect to defined database using: ${cmd}' && false",
+    command     => $exec_command,
     unless      => $validate_cmd,
     cwd         => $module_workdir,
     environment => $env,

spec/classes/server/config_spec.rb

@@ -41,7 +41,7 @@
 
       it 'has systemctl restart command' do
         is_expected.to contain_exec('restart-systemd').with(
-          command: 'systemctl daemon-reload',
+          command: ['systemctl', 'daemon-reload'],
           refreshonly: true,
           path: '/bin:/usr/bin:/usr/local/bin',
         )

spec/classes/server_spec.rb

@@ -83,7 +83,7 @@ class { 'postgresql::globals':
       is_expected.to contain_postgresql_conn_validator('validate_service_is_running')
     end
     it 'sets postgres password' do
-      is_expected.to contain_exec('set_postgres_postgrespw').with('command' => '/usr/bin/psql -c "ALTER ROLE \"postgres\" PASSWORD ${NEWPASSWD_ESCAPED}"',
+      is_expected.to contain_exec('set_postgres_postgrespw').with('command' => ['/usr/bin/psql -c "ALTER ROLE \"postgres\" PASSWORD ${NEWPASSWD_ESCAPED}"'],
                                                                   'user'        => 'postgres',
                                                                   'environment' => ['PGPASSWORD=new-p@s$word-to-set', 'PGPORT=5432', 'NEWPASSWD_ESCAPED=$$new-p@s$word-to-set$$'],
                                                                   'unless' => "/usr/bin/psql -h localhost -p 5432 -c 'select 1' > /dev/null")

spec/defines/validate_db_connection_spec.rb

@@ -30,7 +30,10 @@
     it { is_expected.to contain_postgresql__validate_db_connection('test') }
 
     it 'has proper path for validate command' do
-      is_expected.to contain_exec('validate postgres connection for test@test:5432/test').with(unless: %r{^/usr/local/bin/validate_postgresql_connection.sh\s+\d+})
+      is_expected.to contain_exec('validate postgres connection for test@test:5432/test').with(unless: ['/usr/local/bin/validate_postgresql_connection.sh',
+                                                                                                        4,
+                                                                                                        30,
+                                                                                                        '/usr/bin/psql --tuples-only --quiet -h test -U test -p 5432 --dbname test'])
     end
   end
 
@@ -55,7 +58,10 @@ class { 'postgresql::client': validcon_script_path => '/opt/something/validate.s
     end
 
     it 'has proper path for validate command and correct cwd' do
-      is_expected.to contain_exec('validate postgres connection for test@test:5432/test').with(unless: %r{^/opt/something/validate.sh\s+\d+},
+      is_expected.to contain_exec('validate postgres connection for test@test:5432/test').with(unless: ['/opt/something/validate.sh',
+                                                                                                        2,
+                                                                                                        10,
+                                                                                                        '/usr/bin/psql --tuples-only --quiet -h test -U test -p 5432 --dbname test'],
                                                                                                cwd: '/var/tmp')
     end
   end