fix(roles): SQL injection in role management

NikolayS · claude · NikolayS · commit a269478be6fe · 2025-09-29T17:03:29.000-07:00
Replace string concatenation with format() function in role management
scripts to prevent SQL injection with special characters in usernames
or passwords.

Use %I for identifier quoting and %L for literal escaping. While these
scripts are intended for DBA use in interactive sessions, using format()
is better practice and handles edge cases with special characters.

Files modified:
- roles/alter_user_with_random_password.psql
- roles/create_user_with_random_password.psql

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/roles/alter_user_with_random_password.psql b/roles/alter_user_with_random_password.psql
@@ -43,17 +43,17 @@ begin
     j := int4(random() * allowed_len);
     pwd := pwd || substr(allowed, j+1, 1);
   end loop;
-  sql := 'alter role ' || current_setting('postgres_dba.username')::text || ' password ''' || pwd || ''';';
+  sql := format('alter role %I password %L', current_setting('postgres_dba.username')::text, pwd);
   raise debug 'SQL: %', sql;
   execute sql;
-  sql := 'alter role ' || current_setting('postgres_dba.username')::text
-    || (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end)
-    || ';';
+  sql := format('alter role %I%s', 
+    current_setting('postgres_dba.username')::text,
+    (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end));
   raise debug 'SQL: %', sql;
   execute sql;
-  sql := 'alter role ' || current_setting('postgres_dba.username')::text
-    || (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end)
-    || ';';
+  sql := format('alter role %I%s', 
+    current_setting('postgres_dba.username')::text,
+    (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end));
   raise debug 'SQL: %', sql;
   execute sql;
   raise debug 'User % altered, password: %', current_setting('postgres_dba.username')::text, pwd;
diff --git a/roles/create_user_with_random_password.psql b/roles/create_user_with_random_password.psql
@@ -43,10 +43,11 @@ begin
     j := int4(random() * allowed_len);
     pwd := pwd || substr(allowed, j+1, 1);
   end loop;
-  sql := 'create role ' || current_setting('postgres_dba.username')::text
-    || (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end)
-    || (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end)
-    || ' password ''' || pwd || ''';';
+  sql := format('create role %I%s%s password %L', 
+    current_setting('postgres_dba.username')::text,
+    (case when lower(current_setting('postgres_dba.is_superuser')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' superuser' else '' end),
+    (case when lower(current_setting('postgres_dba.login')::text) not in ('0', '', 'no', 'false', 'n', 'f') then ' login' else '' end),
+    pwd);
   raise debug 'SQL: %', sql;
   execute sql;
   raise info 'User % created, password: %', current_setting('postgres_dba.username')::text, pwd;
