2016-07-17 18:18:25 +00:00
|
|
|
# encoding: utf-8
|
|
|
|
|
# author: Christoph Hartmann
|
|
|
|
|
# author: Dominik Richter
|
|
|
|
|
|
|
|
|
|
module Inspec::Resources
|
|
|
|
|
class MssqlSession < Inspec.resource(1)
|
|
|
|
|
name 'mssql_session'
|
|
|
|
|
desc 'Use the mssql_session InSpec audit resource to test SQL commands run against a MS Sql Server database.'
|
|
|
|
|
example "
|
|
|
|
|
sql = mssql_session('myuser','mypassword')
|
|
|
|
|
describe sql.query('select * from sys.databases where name like \'*test*\') do
|
|
|
|
|
its('stdout') {should_not match(/test/) }
|
|
|
|
|
end
|
|
|
|
|
"
|
|
|
|
|
|
|
|
|
|
def initialize(user = nil, pass = nil)
|
|
|
|
|
@user = user
|
|
|
|
|
@pass = pass
|
|
|
|
|
skip_resource('user and pass are required for MSSQL tests') if @user.nil? or @pass.nil?
|
|
|
|
|
end
|
|
|
|
|
|
2016-07-17 18:22:04 +00:00
|
|
|
def query(q)
|
2016-07-17 18:18:25 +00:00
|
|
|
escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$').gsub(/\@/, '`@')
|
|
|
|
|
cmd = inspec.command("sqlcmd -U #{@user} -P #{@pass} -Q \"#{escaped_query}\"")
|
|
|
|
|
|
|
|
|
|
cmd
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def to_s
|
|
|
|
|
'MSSQL'
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
