fix: properly escape postgres password (#3424)

Co-authored-by: Hayden <64056131+hay-kot@users.noreply.github.com>
This commit is contained in:
tba-code 2024-04-08 09:47:57 -05:00 committed by GitHub
parent 6f871c6bdb
commit 92659c64eb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 70 additions and 9 deletions

View File

@ -22,7 +22,11 @@ target_metadata = SqlAlchemyBase.metadata
# Set DB url from config
settings = get_app_settings()
config.set_main_option("sqlalchemy.url", settings.DB_URL)
if not settings.DB_URL:
raise Exception("DB URL not set in config")
config.set_main_option("sqlalchemy.url", settings.DB_URL.replace("%", "%%"))
def run_migrations_offline():

View File

@ -46,17 +46,25 @@ class PostgresProvider(AbstractDBProvider, BaseSettings):
@property
def db_url(self) -> str:
if self.POSTGRES_URL_OVERRIDE:
url = PostgresDsn(url=self.POSTGRES_URL_OVERRIDE)
if not url.scheme == ("postgresql"):
url = self.POSTGRES_URL_OVERRIDE
scheme, remainder = url.split("://", 1)
if scheme != "postgresql":
raise ValueError("POSTGRES_URL_OVERRIDE scheme must be postgresql")
return str(url)
remainder = remainder.split(":", 1)[1]
password = remainder[: remainder.rfind("@")]
quoted_password = urlparse.quote(password)
safe_url = url.replace(password, quoted_password)
return safe_url
return str(
PostgresDsn.build(
scheme="postgresql",
username=self.POSTGRES_USER,
password=urlparse.quote_plus(self.POSTGRES_PASSWORD),
password=urlparse.quote(self.POSTGRES_PASSWORD),
host=f"{self.POSTGRES_SERVER}:{self.POSTGRES_PORT}",
path=f"{self.POSTGRES_DB or ''}",
)

View File

@ -38,13 +38,62 @@ def test_pg_connection_args(monkeypatch):
assert app_settings.DB_URL == "postgresql://mealie:mealie@postgres:5432/mealie"
def test_pg_connection_url_encode_password(monkeypatch):
psql_validation_cases = [
(
"unencoded_to_encoded_password",
[
"POSTGRES_PASSWORD",
"P@ssword!@#$%%^^&&**()+;'\"'<>?{}[]",
"P%40ssword%21%40%23%24%25%25%5E%5E%26%26%2A%2A%28%29%2B%3B%27%22%27%3C%3E%3F%7B%7D%5B%5D",
],
),
(
"unencoded_to_encoded_url",
[
"POSTGRES_URL_OVERRIDE",
"postgresql://mealie:P@ssword!@#$%%^^&&**()+;'\"'<>?{}[]@postgres:5432/mealie",
"postgresql://mealie:P%40ssword%21%40%23%24%25%25%5E%5E%26%26%2A%2A%28%29%2B%3B%27%22%27%3C%3E%3F%7B%7D%5B%5D@postgres:5432/mealie",
],
),
(
"no_encode_needed_password",
[
"POSTGRES_PASSWORD",
"MyPassword",
"MyPassword",
],
),
(
"no_encode_needed_url",
[
"POSTGRES_URL_OVERRIDE",
"postgresql://mealie:MyPassword@postgres:5432/mealie",
"postgresql://mealie:MyPassword@postgres:5432/mealie",
],
),
]
psql_cases = [x[1] for x in psql_validation_cases]
psql_cases_ids = [x[0] for x in psql_validation_cases]
@pytest.mark.parametrize("data", psql_cases, ids=psql_cases_ids)
def test_pg_connection_url_encode_password(data, monkeypatch):
env, value, expected = data
monkeypatch.setenv("DB_ENGINE", "postgres")
monkeypatch.setenv("POSTGRES_SERVER", "postgres")
monkeypatch.setenv("POSTGRES_PASSWORD", "please,url#encode/this?password")
monkeypatch.setenv(env, value)
get_app_settings.cache_clear()
app_settings = get_app_settings()
assert app_settings.DB_URL == "postgresql://mealie:please%2Curl%23encode%2Fthis%3Fpassword@postgres:5432/mealie"
pg_provider = app_settings.DB_PROVIDER
expected = (
expected
if expected.startswith("postgresql://")
else f"postgresql://{pg_provider.POSTGRES_USER}:{expected}@{pg_provider.POSTGRES_SERVER}:5432/{pg_provider.POSTGRES_DB}"
)
assert app_settings.DB_URL == expected
@dataclass(slots=True)