Merge pull request #68 from NikolayS/security/fix-sql-injection-vulnerabilities

feat(roles): add role management to menu and improve security

Author: NikolayS

init/generate.sh

@@ -16,6 +16,10 @@ cat > "$WARMUP" <<- VersCheck
   select 1/0;
 \endif
 
+select current_setting('server_version_num')::integer >= 170000 as postgres_dba_pgvers_17plus \gset
+
+select current_setting('server_version_num')::integer >= 130000 as postgres_dba_pgvers_13plus \gset
+
 select current_setting('server_version_num')::integer >= 100000 as postgres_dba_pgvers_10plus \gset
 \if :postgres_dba_pgvers_10plus
   \set postgres_dba_last_wal_receive_lsn pg_last_wal_receive_lsn

roles/alter_user_with_random_password.psql

@@ -43,17 +43,17 @@ begin
     j := int4(random() * allowed_len);
     pwd := pwd || substr(allowed, j+1, 1);
   end loop;
-  sql := 'alter role ' || current_setting('postgres_dba.username')::text || ' password ''' || pwd || ''';';
+  sql := format('alter role %I password %L', current_setting('postgres_dba.username')::text, pwd);
   raise debug 'SQL: %', sql;
   execute sql;
-  sql := 'alter role ' || current_setting('postgres_dba.username')::text
-    || (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end)
-    || ';';
+  sql := format('alter role %I%s', 
+    current_setting('postgres_dba.username')::text,
+    (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end));
   raise debug 'SQL: %', sql;
   execute sql;
-  sql := 'alter role ' || current_setting('postgres_dba.username')::text
-    || (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end)
-    || ';';
+  sql := format('alter role %I%s', 
+    current_setting('postgres_dba.username')::text,
+    (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end));
   raise debug 'SQL: %', sql;
   execute sql;
   raise debug 'User % altered, password: %', current_setting('postgres_dba.username')::text, pwd;

roles/create_user_with_random_password.psql

@@ -43,10 +43,11 @@ begin
     j := int4(random() * allowed_len);
     pwd := pwd || substr(allowed, j+1, 1);
   end loop;
-  sql := 'create role ' || current_setting('postgres_dba.username')::text
-    || (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end)
-    || (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end)
-    || ' password ''' || pwd || ''';';
+  sql := format('create role %I%s%s password %L', 
+    current_setting('postgres_dba.username')::text,
+    (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end),
+    (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end),
+    pwd);
   raise debug 'SQL: %', sql;
   execute sql;
   raise info 'User % created, password: %', current_setting('postgres_dba.username')::text, pwd;

sql/0_node.sql

@@ -1,4 +1,4 @@
---Node & current DB information: master/replica, lag, DB size, tmp files, etc.
+--Node and current database information: primary/replica, lag, database size, temporary files, etc.
 
 /*
 For Postgres versions older than 10, run this first:

sql/a1_activity.sql

@@ -1,4 +1,4 @@
---Current activity: count of current connections grouped by database, user name, state
+--Current activity: count of current connections grouped by database, username, state
 select
   coalesce(usename, '** ALL users **') as "User",
   coalesce(datname, '** ALL databases **') as "DB",

sql/e1_extensions.sql

@@ -1,4 +1,4 @@
---Extensions installed in current DB
+--Extensions installed in current database
 
 select
   ae.name,

sql/i3_non_indexed_fks.sql

@@ -1,4 +1,4 @@
---FKs with Missing/Bad Indexes
+--Foreign keys with missing or bad indexes
 
 --Created by PostgreSQL Experts https://github.com/pgexperts/pgx_scripts/blob/master/indexes/fk_no_index.sql
 

sql/l1_lock_trees.sql

@@ -1,4 +1,4 @@
---Lock trees (leightweight)
+--Lock trees (lightweight)
 
 -- Source: https://github.com/dataegret/pg-utils/blob/master/sql/locktree.sql
 -- The paths won't be precise but this query is very light and may be used quite frequently

sql/r1_create_user_with_random_password.sql

@@ -0,0 +1,2 @@
+--Create user with random password (interactive)
+\ir ../roles/create_user_with_random_password.psql

sql/r2_alter_user_with_random_password.sql

@@ -0,0 +1,2 @@
+--Alter user with random password (interactive)
+\ir ../roles/alter_user_with_random_password.psql