hans/Nominatim
1
0
Fork 1
mirror of https://github.com/osm-search/Nominatim.git synced 2026-02-14 01:47:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

only allow alphanumeric and dash in DATABASE_WEBUSER

Browse Source 
This variable is used a lot in raw SQL. Avoid injection issues.
This commit is contained in:
Sarah Hoffmann
2026-02-09 21:07:31 +01:00
parent 7a62c7d812
commit e17d0cb5cf
3 changed files with 11 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/nominatim_db/config.py
View File

@@ -2,7 +2,7 @@
# #
# This file is part of Nominatim. (https://nominatim.org) # This file is part of Nominatim. (https://nominatim.org)
# #
# Copyright (C) 2025 by the Nominatim developer community. # Copyright (C) 2026 by the Nominatim developer community.
# For a full list of authors see the git log. # For a full list of authors see the git log.
""" """
Nominatim configuration accessor. Nominatim configuration accessor.
@@ -12,6 +12,7 @@ import importlib.util
import logging import logging
import os import os
import sys import sys
import re
from pathlib import Path from pathlib import Path
import json import json
import yaml import yaml
@@ -80,6 +81,10 @@ class Configuration:
self.lib_dir = _LibDirs() self.lib_dir = _LibDirs()
self._private_plugins: Dict[str, object] = {} self._private_plugins: Dict[str, object] = {}
if re.fullmatch(r'[\w-]+', self.DATABASE_WEBUSER) is None:
raise UsageError("Misconfigured DATABASE_WEBUSER. "
"Only alphnumberic characters, - and _ are allowed.")
def set_libdirs(self, **kwargs: StrPath) -> None: def set_libdirs(self, **kwargs: StrPath) -> None:
""" Set paths to library functions and data. """ Set paths to library functions and data.
""" """

8
test/python/config/test_config.py
View File

@@ -2,7 +2,7 @@
# #
# This file is part of Nominatim. (https://nominatim.org) # This file is part of Nominatim. (https://nominatim.org)
# #
# Copyright (C) 2025 by the Nominatim developer community. # Copyright (C) 2026 by the Nominatim developer community.
# For a full list of authors see the git log. # For a full list of authors see the git log.
""" """
Test for loading dotenv configuration. Test for loading dotenv configuration.
@@ -68,13 +68,13 @@ def test_prefer_os_environ_over_project_setting(make_config, monkeypatch, tmp_pa
def test_prefer_os_environ_can_unset_project_setting(make_config, monkeypatch, tmp_path): def test_prefer_os_environ_can_unset_project_setting(make_config, monkeypatch, tmp_path):
envfile = tmp_path / '.env' envfile = tmp_path / '.env'
envfile.write_text('NOMINATIM_DATABASE_WEBUSER=apache\n', encoding='utf-8') envfile.write_text('NOMINATIM_OSM2PGSQL_BINARY=osm2pgsql\n', encoding='utf-8')
monkeypatch.setenv('NOMINATIM_DATABASE_WEBUSER', '') monkeypatch.setenv('NOMINATIM_OSM2PGSQL_BINARY', '')
config = make_config(tmp_path) config = make_config(tmp_path)
assert config.DATABASE_WEBUSER == '' assert config.OSM2PGSQL_BINARY == ''
def test_get_os_env_add_defaults(make_config, monkeypatch): def test_get_os_env_add_defaults(make_config, monkeypatch):

2
test/python/tools/test_database_import.py
View File

@@ -62,7 +62,7 @@ class TestDatabaseSetup:
def test_create_db_missing_ro_user(self): def test_create_db_missing_ro_user(self):
with pytest.raises(UsageError, match='Missing read-only user.'): with pytest.raises(UsageError, match='Missing read-only user.'):
database_import.setup_database_skeleton(f'dbname={self.DBNAME}', database_import.setup_database_skeleton(f'dbname={self.DBNAME}',
rouser='sdfwkjkjgdugu2;jgsafkljas;') rouser='sdfwkjkjgdugu2jgsafkljas')
def test_setup_extensions_old_postgis(self, monkeypatch): def test_setup_extensions_old_postgis(self, monkeypatch):
monkeypatch.setattr(database_import, 'POSTGIS_REQUIRED_VERSION', (50, 50)) monkeypatch.setattr(database_import, 'POSTGIS_REQUIRED_VERSION', (50, 50))