mirror of
https://github.com/inspec/inspec
synced 2024-11-24 21:53:15 +00:00
CHEF-14805 Oracle db session resource fixes (#7136)
* Oracle db fixes: Revert security improvements and modify error handling condition Signed-off-by: Nik08 <nikita.mathur@progress.com> * Preserving the refactoring of escaped_query method Signed-off-by: Nik08 <nikita.mathur@progress.com> --------- Signed-off-by: Nik08 <nikita.mathur@progress.com>
This commit is contained in:
parent
b96011bc86
commit
2eaabede6e
1 changed files with 5 additions and 8 deletions
|
@ -57,7 +57,7 @@ module Inspec::Resources
|
|||
inspec_cmd = inspec.command(command)
|
||||
out = inspec_cmd.stdout + "\n" + inspec_cmd.stderr
|
||||
|
||||
if inspec_cmd.exit_status != 0 || !inspec_cmd.stderr.empty? || out.downcase =~ /^error.*/
|
||||
if inspec_cmd.exit_status != 0 || out.downcase =~ /^error.*/
|
||||
raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
|
||||
else
|
||||
begin
|
||||
|
@ -134,10 +134,8 @@ module Inspec::Resources
|
|||
end
|
||||
|
||||
def escape_query(query)
|
||||
# https://github.com/inspec/inspec/security/code-scanning/7
|
||||
# https://github.com/inspec/inspec/security/code-scanning/8
|
||||
escaped_query = query.gsub(/["\\]/) { |match| match == '"' ? '\\"' : "\\\\" } # Escape backslashes and double quotes
|
||||
escaped_query.gsub!("$", '\\$') unless escaped_query.include? "\\$" # Escape dollar signs, but only if not already escaped
|
||||
escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
|
||||
escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
|
||||
escaped_query
|
||||
end
|
||||
|
||||
|
@ -145,9 +143,8 @@ module Inspec::Resources
|
|||
output = stdout.split("oracle_query_string")[-1]
|
||||
# comma_query_sub replaces the csv delimiter "," in the output.
|
||||
# Handles CSV parsing of data like this (DROP,3) etc
|
||||
# Replace all occurrences of the target pattern using gsub instead of sub
|
||||
# Issue detected: https://github.com/inspec/inspec/security/code-scanning/9
|
||||
output = output.gsub(/\r/, "").strip.gsub(",", "comma_query_sub")
|
||||
|
||||
output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
|
||||
converter = ->(header) { header.downcase }
|
||||
CSV.parse(output, headers: true, header_converters: converter).map do |row|
|
||||
next if row.entries.flatten.empty?
|
||||
|
|
Loading…
Reference in a new issue