Harden the database deletion against SQL injections

blue-yonder · Feb 1, 2018 · ed2e895 · ed2e895
1 parent 7cd8d01
commit ed2e895
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/postgraas_server/backends/postgres_cluster/postgres_cluster_driver.py b/postgraas_server/backends/postgres_cluster/postgres_cluster_driver.py
@@ -69,7 +69,9 @@ def delete_database(db_name, config):
         con.set_isolation_level(ISOLATION_LEVEL_AUTOCOMMIT)
         with con.cursor() as cur:
             try:
-                cur.execute('''DROP DATABASE "{}";'''.format(db_name))
+                cur.execute(SQL('DROP DATABASE {};').format(
+                    Identifier(db_name),
+                ))
             except psycopg2.ProgrammingError as e:
                 raise ValueError(e.args[0])
 
@@ -79,6 +81,8 @@ def delete_user(username, config):
         con.set_isolation_level(ISOLATION_LEVEL_AUTOCOMMIT)
         with con.cursor() as cur:
             try:
-                cur.execute('''DROP USER "{}";'''.format(get_normalized_username(username)))
+                cur.execute(SQL('DROP USER {};').format(
+                   Identifier(get_normalized_username(username)),
+                ))
             except psycopg2.ProgrammingError as e:
                 raise ValueError(e.args[0])