Merge pull request #51462 from ShantonRU/fix-insecure-sql-queries-in-mysql-module-1

Fix insecure SQL queries in MySQL module

salt/modules/mysql.py

@@ -1533,28 +1533,23 @@ def user_chpass(user,
         password_column = __password_column(**connection_args)
 
     cur = dbc.cursor()
+    args['user'] = user
+    args['host'] = host
     if salt.utils.versions.version_cmp(server_version, '8.0.11') >= 0:
-        qry = ("ALTER USER '" + user + "'@'" + host + "'"
-               " IDENTIFIED BY '" + password + "';")
-        args = {}
+        qry = "ALTER USER %(user)s@%(host)s IDENTIFIED BY %(password)s;"
     else:
-        qry = ('UPDATE mysql.user SET ' + password_column + '='
-               + password_sql +
+        qry = ('UPDATE mysql.user SET ' + password_column + '=' + password_sql +
                ' WHERE User=%(user)s AND Host = %(host)s;')
-        args['user'] = user
-        args['host'] = host
     if salt.utils.data.is_true(allow_passwordless) and \
             salt.utils.data.is_true(unix_socket):
         if host == 'localhost':
+            args['unix_socket'] = 'auth_socket'
             if salt.utils.versions.version_cmp(server_version, '8.0.11') >= 0:
-                qry = ("ALTER USER '" + user + "'@'" + host + "'"
-                       " IDENTIFIED BY '" + password + "';")
-                args = {}
+                qry = "ALTER USER %(user)s@%(host)s IDENTIFIED WITH %(unix_socket)s AS %(user)s;"
             else:
                 qry = ('UPDATE mysql.user SET ' + password_column + '='
                        + password_sql + ', plugin=%(unix_socket)s' +
                        ' WHERE User=%(user)s AND Host = %(host)s;')
-                args['unix_socket'] = 'unix_socket'
         else:
             log.error('Auth via unix_socket can be set only for host=localhost')
     try:

tests/unit/modules/test_mysql.py

@@ -187,7 +187,11 @@ class MySQLTestCase(TestCase, LoaderModuleMockMixin):
                     mysql.user_chpass('testuser', password='BLUECOW')
                     calls = (
                         call().cursor().execute(
-                            "ALTER USER 'testuser'@'localhost' IDENTIFIED BY 'BLUECOW';"
+                            "ALTER USER %(user)s@%(host)s IDENTIFIED BY %(password)s;",
+                            {'password': 'BLUECOW',
+                             'user': 'testuser',
+                             'host': 'localhost',
+                            }
                         ),
                         call().cursor().execute('FLUSH PRIVILEGES;'),
                     )