From 6478409b05c0f72f5113a8c30819b81cc9641be3 Mon Sep 17 00:00:00 2001 From: Sarah Hoffmann Date: Thu, 16 Nov 2023 11:02:25 +0100 Subject: [PATCH] improve code to collect the PostGIS version The SQL contained an unchecked string literal, which may in theory be used to attack the database. --- nominatim/tools/collect_os_info.py | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/nominatim/tools/collect_os_info.py b/nominatim/tools/collect_os_info.py index 29e1cd53..c8fda908 100644 --- a/nominatim/tools/collect_os_info.py +++ b/nominatim/tools/collect_os_info.py @@ -12,14 +12,13 @@ import os import subprocess import sys from pathlib import Path -from typing import List, Optional, Tuple, Union, cast +from typing import List, Optional, Tuple, Union import psutil from psycopg2.extensions import make_dsn, parse_dsn from nominatim.config import Configuration from nominatim.db.connection import connect -from nominatim.typing import DictCursorResults from nominatim.version import NOMINATIM_VERSION @@ -107,15 +106,15 @@ def report_system_information(config: Configuration) -> None: postgresql_ver: str = convert_version(conn.server_version_tuple()) with conn.cursor() as cur: - cur.execute(f""" - SELECT datname FROM pg_catalog.pg_database - WHERE datname='{parse_dsn(config.get_libpq_dsn())['dbname']}'""") - nominatim_db_exists = cast(Optional[DictCursorResults], cur.fetchall()) - if nominatim_db_exists: - with connect(config.get_libpq_dsn()) as conn: - postgis_ver: str = convert_version(conn.postgis_version_tuple()) - else: - postgis_ver = "Unable to connect to database" + num = cur.scalar("SELECT count(*) FROM pg_catalog.pg_database WHERE datname=%s", + (parse_dsn(config.get_libpq_dsn())['dbname'], )) + nominatim_db_exists = num == 1 if isinstance(num, int) else False + + if nominatim_db_exists: + with connect(config.get_libpq_dsn()) as conn: + postgis_ver: str = convert_version(conn.postgis_version_tuple()) + else: + postgis_ver = "Unable to connect to database" postgresql_config: str = get_postgresql_config(int(float(postgresql_ver))) -- 2.39.5