Skip to main content

Spot vulnerabilities in postgres extension scripts

Project description

pgspot

Actions Status License: PostgreSQL PyPI Downloads Code style: black

Spot vulnerabilities in PostgreSQL extension scripts.

pgspot checks extension scripts for following PostgreSQL security best practices. In addition to checking extension scripts it can also be used to check security definer functions or any other PostgreSQL SQL code.

pgspot checks for the following vulnerabilities:

  • search_path-based attacks
  • unsafe object creation

Consult the reference for detailed documentation of the vulnerabilities which pgspot detects, and their potential mitigations.

Useful links

Installation

pip install pgspot

Requirements

To install the runtime requirements, use pip -r requirements.txt.

Usage

> pgspot -h
usage: pgspot [-h] [-a] [--proc-without-search-path PROC] [--summary-only] [--plpgsql | --no-plpgsql] [--explain EXPLAIN] [--ignore IGNORE] [--sql-accepting SQL_FN] [FILE ...]

Spot vulnerabilities in PostgreSQL SQL scripts

positional arguments:
  FILE                  file to check for vulnerabilities

options:
  -h, --help            show this help message and exit
  -a, --append          append files before checking
  --proc-without-search-path PROC
                        whitelist functions without explicit search_path
  --summary-only        only print number of errors, warnings and unknowns
  --plpgsql, --no-plpgsql
                        Analyze PLpgSQL code (default: True)
  --explain EXPLAIN     Describe an error/warning code
  --ignore IGNORE       Ignore error or warning code
  --ignore-lang LANG    Ignore unknown procedural language
  --sql-accepting SQL_FN
                        Specify one or more sql-accepting functions
> pgspot --ignore PS017 <<<"CREATE TABLE IF NOT EXISTS foo();"
PS012: Unsafe table creation: foo

Errors: 1 Warnings: 0 Unknown: 0

SQL-accepting functions

It is a common pattern that SQL-accepting functions exist, which take a string-like argument which will be executed as SQL. This can "hide" some SQL from pgspot, as the string-like argument masks the SQL. With the --sql-accepting argument, pgspot can be told about such functions.

Assuming a function named execute_sql which takes a SQL string as its first argument, and executes it. With pgspot --sql-accepting=execute_sql we can tell pgspot execute_sql may accept SQL. pgspot will attempt to unpack and evaluate all arguments to that function as SQL.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pgspot-0.8.0.tar.gz (14.7 kB view details)

Uploaded Source

Built Distribution

pgspot-0.8.0-py3-none-any.whl (14.8 kB view details)

Uploaded Python 3

File details

Details for the file pgspot-0.8.0.tar.gz.

File metadata

  • Download URL: pgspot-0.8.0.tar.gz
  • Upload date:
  • Size: 14.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.0 CPython/3.12.4

File hashes

Hashes for pgspot-0.8.0.tar.gz
Algorithm Hash digest
SHA256 2a777fec3ac8fcccdfa3ed4897362bac5f6f1249dd0c6cc1140c59b83002ce6d
MD5 fbca0d7d582405a2861f4c7a990aa207
BLAKE2b-256 86e62b4071a8941e792525b4b31ac0a5244ab82414d18ce2c3c98a7657fe939c

See more details on using hashes here.

File details

Details for the file pgspot-0.8.0-py3-none-any.whl.

File metadata

  • Download URL: pgspot-0.8.0-py3-none-any.whl
  • Upload date:
  • Size: 14.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.0 CPython/3.12.4

File hashes

Hashes for pgspot-0.8.0-py3-none-any.whl
Algorithm Hash digest
SHA256 fad085a00a50653384d13ef10136c9f9c57f6329f021a9fe36a1c37a91836fe1
MD5 c55678b05ee910bf69d69aca42700eed
BLAKE2b-256 fdb1e70b0e54e513163a35e46d6f3b32188a959227710c7add1923260ba7a582

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page