URL-encode credentials in PostgreSQL connection URI#4206
Open
tas50 wants to merge 1 commit into
Open
Conversation
make_connection_string interpolated the database username and password
directly into a libpq connection URI:
"postgresql:///#{db_name}?user=#{db_user}&password=#{db_password}&host=#{host}&port=#{port}"
Neither value was URL-encoded. A username or password containing
characters that are significant in a connection URI (such as '&', '?',
'#', '/', or spaces) would break the URI or inject additional
connection parameters (for example appending '&sslmode=disable'). The
DB superuser password can be set to an arbitrary value via
set-db-superuser-password, so this is reachable with non-random
credentials.
URL-encode the username and password with ERB::Util.url_encode before
building the URI. Plain alphanumeric credentials are unaffected.
Signed-off-by: Tim Smith <tsmith84@proton.me>
👷 Deploy Preview for chef-server processing.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
ChefServerCtl::Config.make_connection_stringinsrc/chef-server-ctl/lib/chef_server_ctl/config.rbinterpolates the database username and password directly into a libpq connection URI without URL-encoding:"postgresql:///#{db_name}?user=#{db_user}&password=#{db_password}&host=#{host}&port=#{port}"If a username or password contains characters that are significant in a connection URI —
&,?,#,/, or spaces — the resulting URI is either malformed or carries extra connection parameters that the credential value injects. For example a password value ofsecret&sslmode=disablewould append an unintendedsslmodeparameter to the connection.The DB superuser password is not limited to randomly generated values — it can be set to an arbitrary string via
chef-server-ctl set-db-superuser-password— so this is reachable in practice, not just in theory.Fix
URL-encode the username and password with
ERB::Util.url_encodebefore building the URI:Plain alphanumeric credentials are unchanged; only URI-significant characters are percent-encoded, which libpq decodes back to the original value. (
ERB::Util.url_encodeencodes spaces as%20rather than+, which is what a libpq URI expects.)Note: the chef-server-ctl gem bundle targets Ruby 3.1 and could not be installed in my local environment (Ruby 4.x), so I verified the change with
ruby -cand confirmed the encoding behavior ofERB::Util.url_encodedirectly.