pgspot

Release 0.7.0

Spot vulnerabilities in postgres extension scripts

Homepage PyPI Python

Keywords
postgresql
License
PostgreSQL
Install
pip install pgspot==0.7.0

Documentation

pgspot

Actions Status License: PostgreSQL PyPI Downloads Code style: black

Spot vulnerabilities in PostgreSQL extension scripts.

pgspot checks extension scripts for following PostgreSQL security best practices. In addition to checking extension scripts it can also be used to check security definer functions or any other PostgreSQL SQL code.

pgspot checks for the following vulnerabilities:

  • search_path-based attacks
  • unsafe object creation

Consult the reference for detailed documentation of the vulnerabilities which pgspot detects, and their potential mitigations.

Useful links

Installation

pip install pgspot

Requirements

To install the runtime requirements, use pip -r requirements.txt.

Usage

> pgspot -h
usage: pgspot [-h] [-a] [--proc-without-search-path PROC] [--summary-only] [--plpgsql | --no-plpgsql] [--explain EXPLAIN] [--ignore IGNORE] [--sql-accepting SQL_FN] [FILE ...]

Spot vulnerabilities in PostgreSQL SQL scripts

positional arguments:
  FILE                  file to check for vulnerabilities

options:
  -h, --help            show this help message and exit
  -a, --append          append files before checking
  --proc-without-search-path PROC
                        whitelist functions without explicit search_path
  --summary-only        only print number of errors, warnings and unknowns
  --plpgsql, --no-plpgsql
                        Analyze PLpgSQL code (default: True)
  --explain EXPLAIN     Describe an error/warning code
  --ignore IGNORE       Ignore error or warning code
  --sql-accepting SQL_FN
                        Specify one or more sql-accepting functions

> pgspot --ignore PS017 <<<"CREATE TABLE IF NOT EXISTS foo();"
PS012: Unsafe table creation: foo

Errors: 1 Warnings: 0 Unknown: 0

SQL-accepting functions

It is a common pattern that SQL-accepting functions exist, which take a string-like argument which will be executed as SQL. This can "hide" some SQL from pgspot, as the string-like argument masks the SQL. With the --sql-accepting argument, pgspot can be told about such functions.

Assuming a function named execute_sql which takes a SQL string as its first argument, and executes it. With pgspot --sql-accepting=execute_sql we can tell pgspot execute_sql may accept SQL. pgspot will attempt to unpack and evaluate all arguments to that function as SQL.

Stats

Dependencies
1
Dependent packages
0
Dependent repositories
0
Total releases
9
Latest release
First release
Stars
29
Forks
6
Watchers
10
Contributors
6
Repository size
164 KB
SourceRank
10

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.5.0
0.7.1
0.7.0
0.6.0
0.4.0
0.3.3
0.3.2
0.3.1
0.3.0

Contributors

Sven Klemm dependabot[bot] James Guthrie Fabrízio de Royes Mello Mike Freedman Step Security Bot


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2024-04-12 06:50:00 UTC

Login to resync this project