rooty/fab-manager
1
0
Fork 0
mirror of https://github.com/LaCasemate/fab-manager.git synced 2025-01-17 06:52:27 +01:00
Code Issues Releases Activity

[security] fix possible sql injection

Browse Source
This commit is contained in:
Sylvain 2021-02-24 11:03:36 +01:00
parent 2b457f3b06
commit ca9ff11fd4
2 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@ -1,5 +1,8 @@
# Changelog Fab-manager
## Next release
- Fix a security issue: possible SQL injection when dropping the database
## v4.7.1 2021 February 24
- Fix a security issue: updated axios to 0.21.1 to fix [CVE-2020-28168](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168)

14
config/initializers/postgresql_database_tasks.rb
View File

@ -1,11 +1,21 @@
# frozen_string_literal: true
module ActiveRecord
module Tasks
# The following magic allows to drop a PG database even if a connection exists
# @see https://stackoverflow.com/a/38710021
class PostgreSQLDatabaseTasks
include ActiveRecord::Sanitization::ClassMethods
def drop
establish_master_connection
connection.select_all "select pg_terminate_backend(pg_stat_activity.pid) from pg_stat_activity where datname='#{configuration['database']}' AND state='idle';"
q = sanitize_sql_array [
"select pg_terminate_backend(pg_stat_activity.pid) from pg_stat_activity where datname= ? AND state='idle';",
configuration['database']
]
connection.select_all q
connection.drop_database configuration['database']
end
end
end
end
end