Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: properly escape postgres password #3424

Merged
merged 20 commits into from
Apr 8, 2024
Merged

fix: properly escape postgres password #3424

merged 20 commits into from
Apr 8, 2024

Conversation

tba-code
Copy link
Contributor

@tba-code tba-code commented Apr 4, 2024

What type of PR is this?

  • bug

What this PR does / why we need it:

  • Properly escapes postgres db urls for alembic
  • POSTGRES_URL_OVERRIDE now escapes the password portion

Which issue(s) this PR fixes:

Fixes #3423
Fixes #3418

Special notes for your reviewer:

The string manipipulation to find the password in POSTGRES_URL_OVERRIDE is quite ugly but I didn't know of a better way to handle it. Any suggestions for improvements would be appreciated.

Testing

  • Spun up the dev services postgres with the password P@ssword!@#$%%^^&&**()+;'"'<>?{}[]
  • Tried to launch the backend.

I was able to launch the backend from both POSTGRES_URL_OVERRIDE and POSTGRES_* variables using the same password.

michael-genson
michael-genson requested changes Apr 4, 2024
View reviewed changes
Copy link
Collaborator

@michael-genson michael-genson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you be able to add tests for this? Specifically the password you provided, as well as any other edge cases you can think of. You can parametrize test_pg_connection_url_encode_password in test_config.py. Something like:

@pytest.mark.parametrize(
  "input, expected_output",
  [("input_1", "output_1"), ("input_2", "output_2"), ...],
)
def test_pg_connection_url_encode_password(input: str, expected_output: str, monkeypatch):
  ...

Additionally, does this properly handle cases where users have already escaped their passwords? (i.e. they have already inserted double % signs). Can we add a test for this as well?

@tba-code
Copy link
Contributor Author

tba-code commented Apr 5, 2024

Testing added.

michael-genson
michael-genson requested changes Apr 5, 2024
View reviewed changes
Copy link
Collaborator

@michael-genson michael-genson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks good, just one more bit of feedback and I think this is good to go

alembic/env.py Show resolved Hide resolved
@tba-code tba-code marked this pull request as draft April 5, 2024 19:49
@tba-code tba-code marked this pull request as ready for review April 5, 2024 23:35
@michael-genson
Copy link
Collaborator

Looks good, though I'd prefer to have @hay-kot look at it before signing off in case I'm missing anything

hay-kot
hay-kot previously approved these changes Apr 7, 2024
View reviewed changes
Copy link
Collaborator

@hay-kot hay-kot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made a small backwards compatibility change so that users who have manually escaped their passwords shouldn't have to update their config again.

@tba-code let me know if there's any issue with that, otherwise I can merge.

@tba-code
Copy link
Contributor Author

tba-code commented Apr 7, 2024
edited
Loading

@hay-kot we cannot unquote passwords first as it may break others. this was intentionally added then dropped in a previous commit in this PR

@tba-code
Copy link
Contributor Author

tba-code commented Apr 7, 2024

Breaking some configs is unavoidable for this one. Now that the underlying issue is fixed though, there is no longer a reason for people to try and escape any values in the configs. Would rather break the few that did rather than have an obscure bug down the line. I suggest we make a patch note for this.

@hay-kot hay-kot enabled auto-merge (squash) April 7, 2024 16:55
@hay-kot hay-kot requested a review from michael-genson April 7, 2024 16:55
@michael-genson
Copy link
Collaborator

LGTM. Agreed that we're not going to be able to account for 100% of users, so this is good enough. Thankfully while it's a pain to have to fix your password one more time, it's not like we're breaking setups or breaking data, so it's a just-one-more-fix kind of breaking change

@hay-kot hay-kot merged commit 92659c6 into mealie-recipes:mealie-next Apr 8, 2024
10 checks passed
@tba-code tba-code deleted the fix/postgres-url-parsing branch April 8, 2024 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michael-genson michael-genson michael-genson approved these changes

@hay-kot hay-kot hay-kot approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] - Migration from V1.3.2 to V1.4.0 Migration needed. Performing migration...
3 participants
@tba-code @michael-genson @hay-kot