From 855ebfbd0b835ef322f95305f53174fc026d35d2 Mon Sep 17 00:00:00 2001 From: lukinovec Date: Wed, 28 Jun 2023 10:13:13 +0200 Subject: [PATCH] Protect queries from SQL injection (CreatePostgresUserForTenant) --- src/Jobs/CreatePostgresUserForTenant.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/Jobs/CreatePostgresUserForTenant.php b/src/Jobs/CreatePostgresUserForTenant.php index 683354db..7727c50d 100644 --- a/src/Jobs/CreatePostgresUserForTenant.php +++ b/src/Jobs/CreatePostgresUserForTenant.php @@ -39,8 +39,9 @@ class CreatePostgresUserForTenant implements ShouldQueue $password = $this->tenant->database()->getPassword() ?? PostgresRLSBootstrapper::getDefaultPassword(); // Create the user only if it doesn't already exist - if (! count(DB::select("SELECT usename FROM pg_user WHERE usename = '$name';")) > 0) { - DB::statement("CREATE USER \"$name\" LOGIN PASSWORD '$password';"); + if (! count(DB::select("SELECT usename FROM pg_user WHERE usename = $1", [$name])) > 0) { + $formattedStatement = DB::select("SELECT format('CREATE USER %I LOGIN PASSWORD %L', '$name', '$password');")[0]->format; + DB::statement($formattedStatement); } $this->grantPermissions((string) $name); @@ -59,10 +60,12 @@ class CreatePostgresUserForTenant implements ShouldQueue $table = $model->getTable(); foreach (config('tenancy.rls.user_permissions') as $permission) { - $databaseManager->database()->statement("GRANT {$permission} ON {$table} TO \"{$userName}\""); + $formattedStatement = $databaseManager->database()->select("SELECT format('GRANT %s ON %I TO %I', '$permission', '$table', '$userName')")[0]->format; + $databaseManager->database()->statement($formattedStatement); } - $databaseManager->database()->statement("GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO \"{$userName}\""); + $formattedStatement = $databaseManager->database()->select("SELECT format('GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO %I', '$userName')")[0]->format; + $databaseManager->database()->statement($formattedStatement); } }); }