Use psycopg.conninfo.make_conninfo() to create PostgreSQL connection string#209
Use psycopg.conninfo.make_conninfo() to create PostgreSQL connection string#209
psycopg.conninfo.make_conninfo() to create PostgreSQL connection string#209Conversation
jsf9k
added
bug
Pull Request Test Coverage Report for Build 21264655225Details
💛 - Coveralls |
|
Hi Shane @jsf9k , just one comment, in the src/guacscanner/guacscanner.py file the instances where cursor.execute(ENTITY_COUNT_QUERY, (entity_name, entity_type)) is used these are examples of string concatenation which is a possible vulnerability for SQL injection. What's your thoughts? |
In this project I think it's OK. The values being concatenated do not originate from users but from the AWS API, and the latter is a trusted source. |
dav3r
left a comment
dav3r
left a comment
There was a problem hiding this comment.
Makes sense, but we should still test that this actually works as intended.
The only real way to test is to add a backslash to the PostgreSQL password in, say, our dev-a COOL environment. I will get @dav3r's assistance with that when we finish up the current cisagov/skeleton-packer Lineage wave. |
jsf9k
force-pushed
the
bugfix/use-raw-string-for-postgres-connection-string
branch
from
519f564 to
d5dd863
Compare
There was a problem hiding this comment.
Pull request overview
Updates PostgreSQL connection string construction to use a raw f-string, aiming to avoid accidental escape-sequence interpretation when credentials contain backslashes.
Changes:
- Switched the DSN construction from an f-string to a raw f-string (
rf"") - Added an explanatory comment about backslashes in passwords
Comments suppressed due to low confidence (1)
src/guacscanner/guacscanner.py:772
- This comment states the raw string is needed to avoid Python string escape handling due to backslashes in the password, but that isn’t accurate for f-string interpolation (the password is a runtime value). Consider updating the comment to describe the actual escaping/quoting concern (conninfo parsing), or remove it if you switch to passing connection parameters instead of building a DSN string.
# We use a raw string here since the password, in particular, could contain
# a literal backslash.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jsf9k
changed the title
psycopg.conninfo.make_conninfo() to create PostgreSQL connection string
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
github-actions
Bot
added
the
test
jsf9k
force-pushed
the
bugfix/use-raw-string-for-postgres-connection-string
branch
from
dba7b67 to
c9dda8e
Compare
The password, in particular, may contain backslash literals. This will ensure that such backslashes are not treated as the first character in a Python escape sequence.
This avoids prematurely treating backslashes as escapes. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
jsf9k
force-pushed
the
bugfix/use-raw-string-for-postgres-connection-string
branch
from
5456213 to
c9dda8e
Compare
🗣 Description
This pull request modifies the Python code to use
psycopg.conninfo.make_conninfo()to create the PostgreSQL connection string.💭 Motivation and context
If the PostgreSQL password, for example, contains a literal backslash (
\) character then we do not want it to be interpreted as the first character in a Python string escape sequence.It is highly unlikely that anyone would choose a host name, database name, username, or password that genuinely contains special characters like
\n,\t, etc.; therefore, it should be safe to treat all backslashes in the PostgreSQL connection string as literal backslashes.🧪 Testing
All automated tests pass.
✅ Pre-approval checklist
✅ Pre-merge checklist
✅ Post-merge checklist