# encoding: utf-8 # copyright: 2015, Vulcano Security GmbH # author: Dominik Richter # author: Christoph Hartmann # license: All rights reserved class Lines attr_reader :output def initialize(raw, desc) @output = raw @desc = desc end def lines output.split("\n") end def to_s @desc end end class PostgresSession < Inspec.resource(1) name 'postgres_session' desc 'Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database.' example " sql = postgres_session('username', 'password') describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do its('output') { should eq('') } end " def initialize(user, pass) @user = user || 'postgres' @pass = pass end def query(query, db = []) dbs = db.map { |x| "-d #{x}" }.join(' ') # TODO: simple escape, must be handled by a library # that does this securely escaped_query = query.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$') # run the query cmd = inspec.command("PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h localhost -c \"#{escaped_query}\"") out = cmd.stdout + "\n" + cmd.stderr if cmd.exit_status != 0 or out =~ /could not connect to .*/ or out.downcase =~ /^error/ # skip this test if the server can't run the query skip_resource "Can't read run query #{query.inspect} on postgres_session: #{out}" else # remove the whole header (i.e. up to the first ^-----+------+------$) # remove the tail lines = cmd.stdout .sub(/(.*\n)+([-]+[+])*[-]+\n/, '') .sub(/\n[^\n]*\n\n$/, '') Lines.new(lines.strip, "PostgreSQL query: #{query}") end end end