From d824ef39bcc14c643751411882f7a73b2552660b Mon Sep 17 00:00:00 2001
From: Andrew Klychkov <aaklychkov@mail.ru>
Date: Thu, 7 May 2020 15:41:22 +0300
Subject: [PATCH 1/3] postgresql_set: add trust_input parameter

---
 .../database/postgresql/postgresql_set.py     | 22 ++++++++++++++++---
 .../tasks/postgresql_set_initial.yml          | 19 ++++++++++++++++
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/plugins/modules/database/postgresql/postgresql_set.py b/plugins/modules/database/postgresql/postgresql_set.py
index 166f7bc63f8..3ad7e91324c 100644
--- a/plugins/modules/database/postgresql/postgresql_set.py
+++ b/plugins/modules/database/postgresql/postgresql_set.py
@@ -59,6 +59,12 @@
     type: str
     aliases:
     - login_db
+  trust_input:
+    description:
+    - If C(no), check whether values of parameters are potentially dangerous.
+    - It does make sense to use C(yes) only when SQL injections are possible.
+    type: bool
+    default: yes
 notes:
 - Supported version of PostgreSQL is 9.4 and later.
 - Pay attention, change setting with 'postmaster' context can return changed is true
@@ -166,6 +172,9 @@
 from copy import deepcopy
 
 from ansible.module_utils.basic import AnsibleModule
+from ansible_collections.community.general.plugins.module_utils.database import (
+    check_input,
+)
 from ansible_collections.community.general.plugins.module_utils.postgres import (
     connect_to_db,
     get_conn_params,
@@ -287,15 +296,22 @@ def main():
         value=dict(type='str'),
         reset=dict(type='bool'),
         session_role=dict(type='str'),
+        trust_input=dict(type='bool', default=True),
     )
     module = AnsibleModule(
         argument_spec=argument_spec,
         supports_check_mode=True,
     )
 
-    name = module.params["name"]
-    value = module.params["value"]
-    reset = module.params["reset"]
+    name = module.params['name']
+    value = module.params['value']
+    reset = module.params['reset']
+    session_role =  module.params['session_role']
+    trust_input = module.params['trust_input']
+
+    if not trust_input:
+        # Check input for potentially dangerous elements:
+        check_input(module, name, value, session_role)
 
     # Allow to pass values like 1mb instead of 1MB, etc:
     if value:
diff --git a/tests/integration/targets/postgresql_set/tasks/postgresql_set_initial.yml b/tests/integration/targets/postgresql_set/tasks/postgresql_set_initial.yml
index 01e6de1d750..5ac91de0d0a 100644
--- a/tests/integration/targets/postgresql_set/tasks/postgresql_set_initial.yml
+++ b/tests/integration/targets/postgresql_set/tasks/postgresql_set_initial.yml
@@ -288,6 +288,7 @@
     <<: *task_parameters
     postgresql_set:
       <<: *pg_parameters
+      trust_input: yes
       name: archive_command
       value: 'test ! -f /mnt/postgres/mb/%f && cp %p /mnt/postgres/mb/%f'
 
@@ -302,3 +303,21 @@
   - assert:
       that:
       - result.query_result.0.reset_val == "test ! -f /mnt/postgres/mb/%f && cp %p /mnt/postgres/mb/%f"
+
+  #############################
+  # Check trust_input parameter
+  - name: postgresql_set - check trust_input
+    <<: *task_parameters
+    postgresql_set:
+      <<: *pg_parameters
+      name: shared_buffers
+      value: 111MB
+      trust_input: no
+      session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
+    register: result
+    ignore_errors: yes
+
+  - assert:
+      that:
+      - result is failed
+      - result.msg is search('is potentially dangerous')

From 2a1e109105b8f8860eb49e614e5e6326be654ecd Mon Sep 17 00:00:00 2001
From: Andrew Klychkov <aaklychkov@mail.ru>
Date: Thu, 7 May 2020 15:47:29 +0300
Subject: [PATCH 2/3] add changelog fragment

---
 .../fragments/302-postgresql_set_add_trust_input_parameter.yml  | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 changelogs/fragments/302-postgresql_set_add_trust_input_parameter.yml

diff --git a/changelogs/fragments/302-postgresql_set_add_trust_input_parameter.yml b/changelogs/fragments/302-postgresql_set_add_trust_input_parameter.yml
new file mode 100644
index 00000000000..4eb1ec9a945
--- /dev/null
+++ b/changelogs/fragments/302-postgresql_set_add_trust_input_parameter.yml
@@ -0,0 +1,2 @@
+minor_changes:
+- postgresql_set - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/302).

From 35ed7046c32ea4398ee637aba06fe7907cc6d23d Mon Sep 17 00:00:00 2001
From: Andrew Klychkov <aaklychkov@mail.ru>
Date: Thu, 7 May 2020 16:51:42 +0300
Subject: [PATCH 3/3] fix CI

---
 plugins/modules/database/postgresql/postgresql_set.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/modules/database/postgresql/postgresql_set.py b/plugins/modules/database/postgresql/postgresql_set.py
index 3ad7e91324c..55c2aaae2cf 100644
--- a/plugins/modules/database/postgresql/postgresql_set.py
+++ b/plugins/modules/database/postgresql/postgresql_set.py
@@ -306,7 +306,7 @@ def main():
     name = module.params['name']
     value = module.params['value']
     reset = module.params['reset']
-    session_role =  module.params['session_role']
+    session_role = module.params['session_role']
     trust_input = module.params['trust_input']
 
     if not trust_input: