fix: postgres init-databases.sh psql variable syntax error #8

Original file line number	Diff line number	Diff line change
Expand Up		@@ -4,18 +4,13 @@ set -euo pipefail
		# Create service metadata databases during the first Postgres initialization.
		create_database() {
		local database="1ドル"
	local exists

	exists="$(
	psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname postgres --set=database="$database" \
	--tuples-only --no-align \
	--command "SELECT 1 FROM pg_database WHERE datname = :'database'"
	)"
	psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname postgres \
	--command "SELECT 1 FROM pg_database WHERE datname = '$database'" \
	--tuples-only --no-align \| grep -q 1 && return 0
Comment on lines +8 to +10 @coderabbitai coderabbitai Bot Jun 9, 2026 Copy link Copy Markdown Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. ⚠️ Potential issue \| 🟠 Major \| 🏗️ Heavy lift SQL injection vulnerability in database existence check. The `$database` variable is directly interpolated into the SQL WHERE clause using single quotes: `datname = '$database'`. If the database name contains a single quote character, it can break out of the string literal and execute arbitrary SQL. Example attack vector: KOIN_DATA_AIRFLOW_DB="'; DROP DATABASE postgres; --" Would result in: SELECT 1 FROM pg_database WHERE datname = ''; DROP DATABASE postgres; --' While this script runs in a trusted container initialization context with operator-controlled environment variables, it's still a security posture gap that should be addressed. 🛡️ Proposed fix with input validation Add input validation to ensure database names only contain safe characters: create_database() { local database="1ドル" + + # Validate database name (alphanumeric, underscore only) + if ! [[ "$database" =~ ^[a-zA-Z_][a-zA-Z0-9_]*$ ]]; then + echo "Error: Invalid database name '$database'" >&2 + return 1 + fi psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname postgres \ Alternatively, use PostgreSQL's dollar-quoted strings to avoid single-quote escaping issues: psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname postgres \ - --command "SELECT 1 FROM pg_database WHERE datname = '$database'" \ + --command "SELECT 1 FROM pg_database WHERE datname = \$\$${database}\$\$" \ --tuples-only --no-align \| grep -q 1 && return 0 🤖 Prompt for AI Agents Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docker/postgres/init-databases.sh` around lines 8 - 10, The psql command in init-databases.sh interpolates $database directly into SQL (psql ... --command "SELECT ... WHERE datname = '$database'") creating an SQL injection risk; fix by validating or sanitizing $database before use: add a check that $database matches a strict pattern (e.g., /^[a-zA-Z0-9_]+$/) and exit with error if not, or alternatively construct the SQL using safe dollar-quoting (e.g., WHERE datname = $$<database>$$) or properly escape single quotes, then use the validated/sanitized $database in the psql --command invocation to ensure no untrusted characters can break out of the string.

	if [[ "$exists" != "1" ]]; then
	psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname postgres --set=database="$database" \
	--command 'CREATE DATABASE :"database"'
	fi
	psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname postgres \
	--command "CREATE DATABASE \"$database\""
Comment on lines +12 to +13 @coderabbitai coderabbitai Bot Jun 9, 2026 Copy link Copy Markdown Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. ⚠️ Potential issue \| 🟡 Minor \| ⚡ Quick win Database creation uses safer identifier quoting but still benefits from input validation. The double-quoted identifier syntax (`CREATE DATABASE "$database"`) is more injection-resistant than the single-quoted string literal in the existence check above. However, database names containing double quotes would still require proper escaping (`""` in PostgreSQL). The input validation suggested in the previous comment (lines 8-10) would also protect this statement. 🤖 Prompt for AI Agents Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docker/postgres/init-databases.sh` around lines 12 - 13, Validate and sanitize the database name in the script before using it in the psql CREATE DATABASE command: ensure the shell variable database contains only allowed characters (e.g., letters, digits, underscores, hyphens) or otherwise reject it, and escape any embedded double quotes by doubling them (replace " with "") before interpolating into the SQL; then use the same sanitized/escaped variable in the psql --command "CREATE DATABASE \"$database\"" invocation so the CREATE statement is safe from names containing quotes or invalid characters.
		}

		create_database "${KOIN_DATA_AIRFLOW_DB:-airflow_metadata}"
Expand Down

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: postgres init-databases.sh psql variable syntax error #8

Are you sure you want to change the base?

Uh oh!

fix: postgres init-databases.sh psql variable syntax error #8

Filter by extension

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

@coderabbitai coderabbitai Bot Jun 9, 2026

Choose a reason for hiding this comment

Uh oh!

@coderabbitai coderabbitai Bot Jun 9, 2026

Choose a reason for hiding this comment

Uh oh!