Merge pull request #5124 from Perceptyx/sql-session-sensitive

feat(sensitive): add sensitive output to mysql and postgres sessions
2024-11-10 07:04:15 +00:00 · 2020-07-28 12:06:50 +01:00 · 2020-07-28 12:06:50 +01:00 · 08d907dc2e
commit 08d907dc2e
parent aa154554fa dd8960dbf6
4 changed files with 45 additions and 8 deletions
--- a/lib/inspec/resources/mysql_session.rb
+++ b/lib/inspec/resources/mysql_session.rb
@ -4,6 +4,23 @@ require "inspec/resources/command"
 require "shellwords"

 module Inspec::Resources
+  class Lines
+    attr_reader :output
+
+    def initialize(raw, desc)
+      @output = raw
+      @desc = desc
+    end
+
+    def lines
+      output.split("\n")
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
  class MysqlSession < Inspec.resource(1)
    name "mysql_session"
    supports platform: "unix"
@ -28,15 +45,17 @@ module Inspec::Resources

    def query(q, db = "")
      mysql_cmd = create_mysql_cmd(q, db)
-      cmd = inspec.command(mysql_cmd)
+      cmd = if !@pass.nil?
+              inspec.command(mysql_cmd, redact_regex: /(mysql -u\w+ -p).+(\s-(h|S).*)/)
+            else
+              inspec.command(mysql_cmd)
+            end
      out = cmd.stdout + "\n" + cmd.stderr
-      if out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error /
-        # skip this test if the server can't run the query
-        warn("Can't connect to MySQL instance for SQL checks.")
+      if cmd.exit_status != 0 || out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error:.*/
+        Lines.new(out, "MySQL query with errors: #{q}")
+      else
+        Lines.new(cmd.stdout.strip, "MySQL query: #{q}")
      end
-
-      # return the raw command output
-      cmd
    end

    def to_s
--- a/lib/inspec/resources/postgres_session.rb
+++ b/lib/inspec/resources/postgres_session.rb
@ -47,7 +47,7 @@ module Inspec::Resources

    def query(query, db = [])
      psql_cmd = create_psql_cmd(query, db)
-      cmd = inspec.command(psql_cmd)
+      cmd = inspec.command(psql_cmd, redact_regex: /(PGPASSWORD=').+(' psql .*)/)
      out = cmd.stdout + "\n" + cmd.stderr
      if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
        Lines.new(out, "PostgreSQL query with errors: #{query}")
--- a/test/unit/resources/mysql_session_test.rb
+++ b/test/unit/resources/mysql_session_test.rb
@ -1,6 +1,7 @@
 require "helper"
 require "inspec/resource"
 require "inspec/resources/mysql_session"
+require "inspec/resources/command"

 describe "Inspec::Resources::MysqlSession" do
  it "verify mysql_session escaped login details with single quotes correctly" do
@ -17,4 +18,12 @@ describe "Inspec::Resources::MysqlSession" do
    _(resource.send(:create_mysql_cmd, "SELECT 1 FROM DUAL;"))
      .must_equal('mysql -h localhost -s -e "SELECT 1 FROM DUAL;"')
  end
+  it "verify mysql_session redacts output" do
+    cmd = %q{mysql -uroot -p\'\%\"\'\"\&\^\*\&\(\)\'\*\% -h localhost -s -e "SELECT 1 FROM DUAL;"}
+    options = { redact_regex: /(mysql -u\w+ -p).+(\s-(h|S).*)/ }
+    resource = load_resource("command", cmd, options)
+
+    expected_to_s = %q{Command: `mysql -uroot -pREDACTED -h localhost -s -e "SELECT 1 FROM DUAL;"`}
+    _(resource.to_s).must_equal(expected_to_s)
+  end
 end
--- a/test/unit/resources/postgres_session_test.rb
+++ b/test/unit/resources/postgres_session_test.rb
@ -1,6 +1,7 @@
 require "helper"
 require "inspec/resource"
 require "inspec/resources/postgres_session"
+require "inspec/resources/command"

 describe "Inspec::Resources::PostgresSession" do
  it "verify postgres_session create_psql_cmd with a basic query" do
@ -11,4 +12,12 @@ describe "Inspec::Resources::PostgresSession" do
    resource = load_resource("postgres_session", "myuser", "mypass", "127.0.0.1")
    _(resource.send(:create_psql_cmd, "SELECT current_setting('client_min_messages')", ["testdb"])).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h 127.0.0.1 -A -t -c SELECT\\ current_setting\\(\\'client_min_messages\\'\\)"
  end
+  it "verify postgres_session redacts output" do
+    cmd = %q{PGPASSWORD='mypass' psql -U myuser -d testdb -h 127.0.0.1 -A -t -c "SELECT current_setting('client_min_messages')"}
+    options = { redact_regex: /(PGPASSWORD=').+(' psql .*)/ }
+    resource = load_resource("command", cmd, options)
+
+    expected_to_s = %q{Command: `PGPASSWORD='REDACTED' psql -U myuser -d testdb -h 127.0.0.1 -A -t -c "SELECT current_setting('client_min_messages')"`}
+    _(resource.to_s).must_equal(expected_to_s)
+  end
 end