From ca9ff11fd4f67b77ff88a071413a16310e9c14b6 Mon Sep 17 00:00:00 2001
From: Sylvain <sylvain@sleede.com>
Date: Wed, 24 Feb 2021 11:03:36 +0100
Subject: [PATCH] [security] fix possible sql injection

---
 CHANGELOG.md                                     |  3 +++
 config/initializers/postgresql_database_tasks.rb | 14 ++++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4f0aa65d2..534f782db 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog Fab-manager
 
+## Next release
+- Fix a security issue: possible SQL injection when dropping the database
+
 ## v4.7.1 2021 February 24
 - Fix a security issue: updated axios to 0.21.1 to fix [CVE-2020-28168](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168)
 
diff --git a/config/initializers/postgresql_database_tasks.rb b/config/initializers/postgresql_database_tasks.rb
index 8883701bb..4616148e7 100644
--- a/config/initializers/postgresql_database_tasks.rb
+++ b/config/initializers/postgresql_database_tasks.rb
@@ -1,11 +1,21 @@
+# frozen_string_literal: true
+
 module ActiveRecord
   module Tasks
+    # The following magic allows to drop a PG database even if a connection exists
+    # @see https://stackoverflow.com/a/38710021
     class PostgreSQLDatabaseTasks
+      include ActiveRecord::Sanitization::ClassMethods
+
       def drop
         establish_master_connection
-        connection.select_all "select pg_terminate_backend(pg_stat_activity.pid) from pg_stat_activity where datname='#{configuration['database']}' AND state='idle';"
+        q = sanitize_sql_array [
+          "select pg_terminate_backend(pg_stat_activity.pid) from pg_stat_activity where datname= ? AND state='idle';",
+          configuration['database']
+        ]
+        connection.select_all q
         connection.drop_database configuration['database']
       end
     end
   end
-end
\ No newline at end of file
+end