From f71c81d544a4789bcfaa9d2cec02f4b6d0eb3892 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Tue, 15 Oct 2024 12:21:16 +0200 Subject: [PATCH] pass PGPASSWORD via env directly, not via shell --- .../concerns/base_database.rb | 38 +++++++++++-------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/lib/foreman_maintain/concerns/base_database.rb b/lib/foreman_maintain/concerns/base_database.rb index 18879b9c1..b059f5918 100644 --- a/lib/foreman_maintain/concerns/base_database.rb +++ b/lib/foreman_maintain/concerns/base_database.rb @@ -55,22 +55,25 @@ def query_csv(sql, config = configuration) def psql(query, config = configuration) if ping(config) - execute(psql_command(config), + cmd, env = psql_command(config) + execute(cmd, :stdin => query, - :hidden_patterns => [config['password']]) + :env => env) else raise_service_error end end def ping(config = configuration) - execute?(psql_command(config), + cmd, env = psql_command(config) + execute?(cmd, :stdin => 'SELECT 1 as ping', - :hidden_patterns => [config['password']]) + :env => env) end def dump_db(file, config = configuration) - execute!(dump_command(config) + " > #{file}", :hidden_patterns => [config['password']]) + cmd, env = dump_command(config) + execute!(cmd + " > #{file}", :env => env) end def restore_dump(file, localdb, config = configuration) @@ -80,11 +83,10 @@ def restore_dump(file, localdb, config = configuration) else # TODO: figure out how to completely ignore errors. Currently this # sometimes exits with 1 even though errors are ignored by pg_restore - dump_cmd = base_command(config, 'pg_restore') + - ' --no-privileges --clean --disable-triggers -n public ' \ - "-d #{config['database']} #{file}" - execute!(dump_cmd, :hidden_patterns => [config['password']], - :valid_exit_statuses => [0, 1]) + cmd, env = base_command(config, 'pg_restore') + cmd += ' --no-privileges --clean --disable-triggers -n public ' \ + "-d #{config['database']} #{file}" + execute!(cmd, :valid_exit_statuses => [0, 1], :env => env) end end @@ -125,8 +127,9 @@ def dropdb(config = configuration) def db_version(config = configuration) if ping(config) # Note - t removes headers, -A removes alignment whitespace - server_version_cmd = psql_command(config) + ' -c "SHOW server_version" -t -A' - version_string = execute!(server_version_cmd, :hidden_patterns => [config['password']]) + cmd, env = psql_command(config) + cmd += ' -c "SHOW server_version" -t -A' + version_string = execute!(cmd, :env => env) version(version_string) else raise_service_error @@ -146,17 +149,20 @@ def raise_psql_missing_error private def base_command(config, command = 'psql') - "PGPASSWORD='#{config[%(password)]}' "\ - "#{command} -h #{config['host'] || 'localhost'} "\ + env = { 'PGPASSWORD' => config['password'] } + cmd = "#{command} -h #{config['host'] || 'localhost'} "\ " -p #{config['port'] || '5432'} -U #{config['username']}" + return cmd, env end def psql_command(config) - base_command(config, 'psql') + " -d #{config['database']}" + cmd, env = base_command(config, 'psql') + return cmd + " -d #{config['database']}", env end def dump_command(config) - base_command(config, 'pg_dump') + " -Fc #{config['database']}" + cmd, env = base_command(config, 'pg_dump') + return cmd + " -Fc #{config['database']}", env end def raise_service_error