[security] fix possible sql injection

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog Fab-manager
 
+## Next release
+- Fix a security issue: possible SQL injection when dropping the database
+
 ## v4.7.1 2021 February 24
 - Fix a security issue: updated axios to 0.21.1 to fix [CVE-2020-28168](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168)
 

config/initializers/postgresql_database_tasks.rb

@@ -1,9 +1,19 @@
+# frozen_string_literal: true
+
 module ActiveRecord
   module Tasks
+    # The following magic allows to drop a PG database even if a connection exists
+    # @see https://stackoverflow.com/a/38710021
     class PostgreSQLDatabaseTasks
+      include ActiveRecord::Sanitization::ClassMethods
+
       def drop
         establish_master_connection
-        connection.select_all "select pg_terminate_backend(pg_stat_activity.pid) from pg_stat_activity where datname='#{configuration['database']}' AND state='idle';"
+        q = sanitize_sql_array [
+          "select pg_terminate_backend(pg_stat_activity.pid) from pg_stat_activity where datname= ? AND state='idle';",
+          configuration['database']
+        ]
+        connection.select_all q
         connection.drop_database configuration['database']
       end
     end