From 5904fae80bbbd9e583f82c1afdfe3df963caeef0 Mon Sep 17 00:00:00 2001 From: "Jens L." Date: Thu, 13 Feb 2025 16:45:06 +0100 Subject: [PATCH] root: correctly use correct schema for install_id (#13018) * root: correctly use correct schema for install_id Signed-off-by: Jens Langhammer #13006 * format Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer --- authentik/root/install_id.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/authentik/root/install_id.py b/authentik/root/install_id.py index e4f41cddff..ec03da61d4 100644 --- a/authentik/root/install_id.py +++ b/authentik/root/install_id.py @@ -7,7 +7,12 @@ from psycopg import connect from authentik.lib.config import CONFIG -QUERY = """SELECT id FROM %s.authentik_install_id ORDER BY id LIMIT 1;""" +# We need to string format the query as tables and schemas can't be set by parameters +# not a security issue as the config value is set by the person installing authentik +# which also has postgres credentials etc +QUERY = """SELECT id FROM {}.authentik_install_id ORDER BY id LIMIT 1;""".format( # nosec + CONFIG.get("postgresql.default_schema") +) @lru_cache @@ -20,7 +25,7 @@ def get_install_id() -> str: if settings.TEST: return str(uuid4()) with connection.cursor() as cursor: - cursor.execute(QUERY, (CONFIG.get("postgresql.default_schema"))) + cursor.execute(QUERY) return cursor.fetchone()[0] @@ -40,5 +45,5 @@ def get_install_id_raw(): sslkey=CONFIG.get("postgresql.sslkey"), ) cursor = conn.cursor() - cursor.execute(QUERY, params=(CONFIG.get("postgresql.default_schema"))) + cursor.execute(QUERY) return cursor.fetchone()[0]