CHEF-14805 Oracle db session resource fixes (#7136)

* Oracle db fixes: Revert security improvements and modify error handling condition Signed-off-by: Nik08 <nikita.mathur@progress.com> * Preserving the refactoring of escaped_query method Signed-off-by: Nik08 <nikita.mathur@progress.com> --------- Signed-off-by: Nik08 <nikita.mathur@progress.com>
2024-09-20 06:21:56 +00:00 · 2024-08-26 13:53:00 +05:30 · 2024-08-26 13:53:00 +05:30 · 2eaabede6e
commit 2eaabede6e
parent b96011bc86
1 changed files with 5 additions and 8 deletions
--- a/lib/inspec/resources/oracledb_session.rb
+++ b/lib/inspec/resources/oracledb_session.rb
@ -57,7 +57,7 @@ module Inspec::Resources
      inspec_cmd = inspec.command(command)
      out = inspec_cmd.stdout + "\n" + inspec_cmd.stderr

-      if inspec_cmd.exit_status != 0 || !inspec_cmd.stderr.empty? || out.downcase =~ /^error.*/
+      if inspec_cmd.exit_status != 0 || out.downcase =~ /^error.*/
        raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
      else
        begin
@ -134,10 +134,8 @@ module Inspec::Resources
    end

    def escape_query(query)
-      # https://github.com/inspec/inspec/security/code-scanning/7
-      # https://github.com/inspec/inspec/security/code-scanning/8
-      escaped_query = query.gsub(/["\\]/) { |match| match == '"' ? '\\"' : "\\\\" } # Escape backslashes and double quotes
-      escaped_query.gsub!("$", '\\$') unless escaped_query.include? "\\$" # Escape dollar signs, but only if not already escaped
+      escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
+      escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
      escaped_query
    end

@ -145,9 +143,8 @@ module Inspec::Resources
      output = stdout.split("oracle_query_string")[-1]
      # comma_query_sub replaces the csv delimiter "," in the output.
      # Handles CSV parsing of data like this (DROP,3) etc
-      # Replace all occurrences of the target pattern using gsub instead of sub
-      # Issue detected: https://github.com/inspec/inspec/security/code-scanning/9
-      output = output.gsub(/\r/, "").strip.gsub(",", "comma_query_sub")
+
+      output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
      converter = ->(header) { header.downcase }
      CSV.parse(output, headers: true, header_converters: converter).map do |row|
        next if row.entries.flatten.empty?