Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-10 07:04:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

CHEF-14805 Oracle db session resource fixes (#7136)

Browse source 
* Oracle db fixes: Revert security improvements and modify error handling condition

Signed-off-by: Nik08 <nikita.mathur@progress.com>

* Preserving the refactoring of escaped_query method

Signed-off-by: Nik08 <nikita.mathur@progress.com>

---------

Signed-off-by: Nik08 <nikita.mathur@progress.com>
This commit is contained in:
Nikita Mathur 2024-08-26 13:53:00 +05:30 committed by GitHub
parent b96011bc86
commit 2eaabede6e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
lib/inspec/resources/oracledb_session.rb
View file

@ -57,7 +57,7 @@ module Inspec::Resources
inspec_cmd = inspec.command(command) inspec_cmd = inspec.command(command)
out = inspec_cmd.stdout + "\n" + inspec_cmd.stderr out = inspec_cmd.stdout + "\n" + inspec_cmd.stderr
if inspec_cmd.exit_status != 0 || !inspec_cmd.stderr.empty? || out.downcase =~ /^error.*/ if inspec_cmd.exit_status != 0 || out.downcase =~ /^error.*/
raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}" raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
else else
begin begin
@ -134,10 +134,8 @@ module Inspec::Resources
end end
def escape_query(query) def escape_query(query)
# https://github.com/inspec/inspec/security/code-scanning/7 escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
# https://github.com/inspec/inspec/security/code-scanning/8 escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
escaped_query = query.gsub(/["\\]/) { |match| match == '"' ? '\\"' : "\\\\" } # Escape backslashes and double quotes
escaped_query.gsub!("$", '\\$') unless escaped_query.include? "\\$" # Escape dollar signs, but only if not already escaped
escaped_query escaped_query
end end
@ -145,9 +143,8 @@ module Inspec::Resources
output = stdout.split("oracle_query_string")[-1] output = stdout.split("oracle_query_string")[-1]
# comma_query_sub replaces the csv delimiter "," in the output. # comma_query_sub replaces the csv delimiter "," in the output.
# Handles CSV parsing of data like this (DROP,3) etc # Handles CSV parsing of data like this (DROP,3) etc
# Replace all occurrences of the target pattern using gsub instead of sub
# Issue detected: https://github.com/inspec/inspec/security/code-scanning/9 output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
output = output.gsub(/\r/, "").strip.gsub(",", "comma_query_sub")
converter = ->(header) { header.downcase } converter = ->(header) { header.downcase }
CSV.parse(output, headers: true, header_converters: converter).map do |row| CSV.parse(output, headers: true, header_converters: converter).map do |row|
next if row.entries.flatten.empty? next if row.entries.flatten.empty?