archtechx/tenancy
1
0
Fork 0
mirror of https://github.com/archtechx/tenancy.git synced 2026-02-05 06:04:03 +00:00
Code Activity

Protect queries from SQL injection (CreatePostgresUserForTenant)

Browse source
This commit is contained in:
lukinovec 2023-06-28 10:13:13 +02:00
parent 30f4f430d5
commit 855ebfbd0b
1 changed files with 7 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/Jobs/CreatePostgresUserForTenant.php
View file

@ -39,8 +39,9 @@ class CreatePostgresUserForTenant implements ShouldQueue
$password = $this->tenant->database()->getPassword() ?? PostgresRLSBootstrapper::getDefaultPassword(); $password = $this->tenant->database()->getPassword() ?? PostgresRLSBootstrapper::getDefaultPassword();
// Create the user only if it doesn't already exist // Create the user only if it doesn't already exist
if (! count(DB::select("SELECT usename FROM pg_user WHERE usename = '$name';")) > 0) { if (! count(DB::select("SELECT usename FROM pg_user WHERE usename = $1", [$name])) > 0) {
DB::statement("CREATE USER \"$name\" LOGIN PASSWORD '$password';"); $formattedStatement = DB::select("SELECT format('CREATE USER %I LOGIN PASSWORD %L', '$name', '$password');")[0]->format;
DB::statement($formattedStatement);
} }
$this->grantPermissions((string) $name); $this->grantPermissions((string) $name);
@ -59,10 +60,12 @@ class CreatePostgresUserForTenant implements ShouldQueue
$table = $model->getTable(); $table = $model->getTable();
foreach (config('tenancy.rls.user_permissions') as $permission) { foreach (config('tenancy.rls.user_permissions') as $permission) {
$databaseManager->database()->statement("GRANT {$permission} ON {$table} TO \"{$userName}\""); $formattedStatement = $databaseManager->database()->select("SELECT format('GRANT %s ON %I TO %I', '$permission', '$table', '$userName')")[0]->format;
$databaseManager->database()->statement($formattedStatement);
} }
$databaseManager->database()->statement("GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO \"{$userName}\""); $formattedStatement = $databaseManager->database()->select("SELECT format('GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO %I', '$userName')")[0]->format;
$databaseManager->database()->statement($formattedStatement);
} }
}); });
} }