only allow alphanumeric and dash in DATABASE_WEBUSER

This variable is used a lot in raw SQL. Avoid injection issues.
2026-02-14 01:47:57 +00:00 · 2026-02-09 21:07:31 +01:00
parent 7a62c7d812
commit e17d0cb5cf
3 changed files with 11 additions and 6 deletions
--- a/src/nominatim_db/config.py
+++ b/src/nominatim_db/config.py
@@ -2,7 +2,7 @@
 #
 # This file is part of Nominatim. (https://nominatim.org)
 #
-# Copyright (C) 2025 by the Nominatim developer community.
+# Copyright (C) 2026 by the Nominatim developer community.
 # For a full list of authors see the git log.
 """
 Nominatim configuration accessor.
@@ -12,6 +12,7 @@ import importlib.util
 import logging
 import os
 import sys
+import re
 from pathlib import Path
 import json
 import yaml
@@ -80,6 +81,10 @@ class Configuration:
        self.lib_dir = _LibDirs()
        self._private_plugins: Dict[str, object] = {}

+        if re.fullmatch(r'[\w-]+', self.DATABASE_WEBUSER) is None:
+            raise UsageError("Misconfigured DATABASE_WEBUSER. "
+                             "Only alphnumberic characters, - and _ are allowed.")
+
    def set_libdirs(self, **kwargs: StrPath) -> None:
        """ Set paths to library functions and data.
        """
--- a/test/python/config/test_config.py
+++ b/test/python/config/test_config.py
@@ -2,7 +2,7 @@
 #
 # This file is part of Nominatim. (https://nominatim.org)
 #
-# Copyright (C) 2025 by the Nominatim developer community.
+# Copyright (C) 2026 by the Nominatim developer community.
 # For a full list of authors see the git log.
 """
 Test for loading dotenv configuration.
@@ -68,13 +68,13 @@ def test_prefer_os_environ_over_project_setting(make_config, monkeypatch, tmp_pa

 def test_prefer_os_environ_can_unset_project_setting(make_config, monkeypatch, tmp_path):
    envfile = tmp_path / '.env'
-    envfile.write_text('NOMINATIM_DATABASE_WEBUSER=apache\n', encoding='utf-8')
+    envfile.write_text('NOMINATIM_OSM2PGSQL_BINARY=osm2pgsql\n', encoding='utf-8')

-    monkeypatch.setenv('NOMINATIM_DATABASE_WEBUSER', '')
+    monkeypatch.setenv('NOMINATIM_OSM2PGSQL_BINARY', '')

    config = make_config(tmp_path)

-    assert config.DATABASE_WEBUSER == ''
+    assert config.OSM2PGSQL_BINARY == ''


 def test_get_os_env_add_defaults(make_config, monkeypatch):
--- a/test/python/tools/test_database_import.py
+++ b/test/python/tools/test_database_import.py
@@ -62,7 +62,7 @@ class TestDatabaseSetup:
    def test_create_db_missing_ro_user(self):
        with pytest.raises(UsageError, match='Missing read-only user.'):
            database_import.setup_database_skeleton(f'dbname={self.DBNAME}',
-                                                    rouser='sdfwkjkjgdugu2;jgsafkljas;')
+                                                    rouser='sdfwkjkjgdugu2jgsafkljas')

    def test_setup_extensions_old_postgis(self, monkeypatch):
        monkeypatch.setattr(database_import, 'POSTGIS_REQUIRED_VERSION', (50, 50))