This is because PathEscape does not escape colons as one would assume:
url.PathEscape("test:test")
// Results in "test:test" being passed to conn string sprintf
This change makes it impossible to use usernames with colon (a real world consequence of using ${aws:userid} in AWS IAM policies, which results in usernames like AROA1234567890ABCD:mateusz@somewhere.com), but also opens the path for injection attack on the conn string in this sprintf.
This is compared to the previous usage of:
url.QueryEscape("test:test")
// Results in test%3Atest
which was correct as far as colons were concerned (but then it didn't encode spaces as %20).
It seems to me than neither QueryEscape nor PathEscape are fit for this particular purpose, since we are encoding the username part, not query or path. I expect this will also lead to problems with passwords that have colons. I googled a bunch trying to find the right API to use, but so far no luck.
Note I can't work around it by simply escaping the username myself before passing it on - PathEscape double-encodes percentage signs.
Hi there,
Turns out https://github.com/cyrilgdn/terraform-provider-postgresql/pull/344 broke usernames with colon and introduced a security issue (username leakage into conn string).
This is because
PathEscape
does not escape colons as one would assume:This change makes it impossible to use usernames with colon (a real world consequence of using
${aws:userid}
in AWS IAM policies, which results in usernames likeAROA1234567890ABCD:mateusz@somewhere.com
), but also opens the path for injection attack on the conn string in this sprintf.This is compared to the previous usage of:
which was correct as far as colons were concerned (but then it didn't encode spaces as
%20
).It seems to me than neither
QueryEscape
norPathEscape
are fit for this particular purpose, since we are encoding the username part, not query or path. I expect this will also lead to problems with passwords that have colons. I googled a bunch trying to find the right API to use, but so far no luck.Note I can't work around it by simply escaping the username myself before passing it on -
PathEscape
double-encodes percentage signs.Terraform Version
Terraform v1.6.6 on darwin_arm64
Affected Resource(s)
provider
Terraform Configuration Files
Debug Output
Panic Output
n/a
Expected Behavior
I should be able to use acceptable usernames (as is the case in 1.20.0)
Actual Behavior
Username was truncated, resulting in connection failure
Steps to Reproduce
Use username with colon with the provider.
Important Factoids
n/a
References
https://github.com/cyrilgdn/terraform-provider-postgresql/pull/344