🔒 SECURITY: Fix SQL injection vulnerabilities in role management

NikolayS · claude · NikolayS · commit 62376b044285 · 2025-09-29T16:51:31.000-07:00
**Critical Security Fixes:**
- Fix 5 SQL injection vulnerabilities in user/password management scripts
- Replace dangerous string concatenation with secure format() function
- Use %I placeholder for safe identifier handling (usernames)
- Use %L placeholder for safe literal handling (passwords)

**Files Fixed:**
- roles/alter_user_with_random_password.psql (3 vulnerabilities)
- roles/create_user_with_random_password.psql (2 vulnerabilities)

**Security Impact:**
- Prevents username injection attacks
- Prevents password injection attacks
- Eliminates potential privilege escalation
- Blocks arbitrary SQL command execution

**Technical Details:**
Before (vulnerable):
```sql
sql := 'alter role ' || username || ' password ''' || pwd || ''';';
```

After (secure):
```sql
sql := format('alter role %I password %L', username, pwd);
```

This comprehensive fix addresses all identified SQL injection attack vectors
in the postgres_dba codebase, ensuring safe role management operations.

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/roles/alter_user_with_random_password.psql b/roles/alter_user_with_random_password.psql
@@ -43,17 +43,17 @@ begin
     j := int4(random() * allowed_len);
     pwd := pwd || substr(allowed, j+1, 1);
   end loop;
-  sql := 'alter role ' || current_setting('postgres_dba.username')::text || ' password ''' || pwd || ''';';
+  sql := format('alter role %I password %L', current_setting('postgres_dba.username')::text, pwd);
   raise debug 'SQL: %', sql;
   execute sql;
-  sql := 'alter role ' || current_setting('postgres_dba.username')::text
-    || (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end)
-    || ';';
+  sql := format('alter role %I%s', 
+    current_setting('postgres_dba.username')::text,
+    (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end));
   raise debug 'SQL: %', sql;
   execute sql;
-  sql := 'alter role ' || current_setting('postgres_dba.username')::text
-    || (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end)
-    || ';';
+  sql := format('alter role %I%s', 
+    current_setting('postgres_dba.username')::text,
+    (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end));
   raise debug 'SQL: %', sql;
   execute sql;
   raise debug 'User % altered, password: %', current_setting('postgres_dba.username')::text, pwd;
diff --git a/roles/create_user_with_random_password.psql b/roles/create_user_with_random_password.psql
@@ -43,10 +43,11 @@ begin
     j := int4(random() * allowed_len);
     pwd := pwd || substr(allowed, j+1, 1);
   end loop;
-  sql := 'create role ' || current_setting('postgres_dba.username')::text
-    || (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end)
-    || (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end)
-    || ' password ''' || pwd || ''';';
+  sql := format('create role %I%s%s password %L', 
+    current_setting('postgres_dba.username')::text,
+    (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end),
+    (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end),
+    pwd);
   raise debug 'SQL: %', sql;
   execute sql;
   raise info 'User % created, password: %', current_setting('postgres_dba.username')::text, pwd;
