fix(postgres): make security denylist case-insensitive

PostgreSQL parameter names are case-insensitive, but the denylist
check was case-sensitive, allowing bypass via mixed-case names
(e.g., ARCHIVE_COMMAND instead of archive_command).

Normalize parameter names to lowercase before checking against the
denylist to prevent security bypass.

Thanks to CodeRabbit for catching this security issue.

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
This commit is contained in:
IvanHunters 2026-04-27 18:46:42 +03:00 committed by IvanHunters
parent 96c7c16c21
commit fac0622499
No known key found for this signature in database
GPG key ID: BB2523A864CCA99B
2 changed files with 2 additions and 1 deletions

View file

@ -65,7 +65,8 @@ spec:
{{- /* Security: Block parameters that could allow shell command execution */ -}}
{{- $dangerousParams := list "archive_command" "restore_command" "ssl_passphrase_command" "log_destination" "event_source" }}
{{- range $key, $value := $params }}
{{- if has $key $dangerousParams }}
{{- $normalizedKey := lower $key }}
{{- if has $normalizedKey $dangerousParams }}
{{- fail (printf "SECURITY: Parameter '%s' is blocked for security reasons. This parameter could allow arbitrary shell command execution and is managed by CloudNativePG operator." $key) }}
{{- end }}
{{ $key }}: {{ $value | quote }}