fluidasserts.db.postgresql module

Dynamic Application Security Testing Suite of PostgreSQL Databases.

The entire suite has been tested on the following PostgreSQL releases:

class fluidasserts.db.postgresql.ConnectionString(dbname, user, password, host, port, sslmode)

Bases: tuple

Container with connection parameters and credentials

property dbname

Alias for field number 0

property host

Alias for field number 3

property password

Alias for field number 2

property port

Alias for field number 4

property sslmode

Alias for field number 5

property user

Alias for field number 1

fluidasserts.db.postgresql.allows_too_many_concurrent_connections(dbname, user, password, host, port, max_connections=100)

Check if number of allowed connections exceed the organization threshold.

An unlimited or high number of concurrent connections to PostgreSQL could allow a successful Denial of Service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users.

Limiting the number of concurrent sessions per user is helpful in reducing these risks.

See:

Parameters
  • dbname (str) – database name.

  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

  • max_connections (int) – organization defined number of concurrent connections, a hundred is PostgreSQL’s default. However, hardware and network settings are highly coupled to a propper value for this setting.

Returns

  • OPEN if max_connections system variable is greater than the specified max_connections parameter.

  • UNKNOWN on errors,

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.postgresql.database(connection_string)

Context manager to get a safe connection and a cursor.

Parameters

connection_string (fluidasserts.db.postgresql.ConnectionString) – Connection parameter and credentials.

Return type

typing.Iterator[typing.Tuple[typing.Any, typing.Any]]

Returns

A tuple of (connection object, cursor object).

fluidasserts.db.postgresql.does_not_invalidate_session_ids(dbname, user, password, host, port, statement_timeout=60000, tcp_keepalives_idle=7200, tcp_keepalives_interval=75, tcp_keepalives_count=9)

Check if session IDs are properly invalidated by timing out the connection.

Session IDs are tokens generated by PostgreSQL to uniquely identify a user’s (or process’s) session.

Based on this session ID, the Database Management System will make access decisions and execute operational logic.

Having unique session IDs help to reduce the predictability of said identifiers, and to prevent reuse and replay attacks.

See:

Default TCP keepalives values taken from the TCP Man Pages.

Parameters
  • dbname (str) – database name.

  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

  • statement_timeout (int) – organization defined timeout in milliseconds for an statement.

  • tcp_keepalives_idle (int) – organization defined number of seconds of inactivity after which TCP should send a keepalive message to the client.

  • tcp_keepalives_interval (int) – organization defined number of seconds after which a TCP keepalive message that is not acknowledged by the client should be retransmitted.

  • tcp_keepalives_count (int) – organization defined number of TCP keepalives that can be lost before the server’s connection to the client is considered dead.

Returns

  • OPEN if any of statement_timeout, tcp_keepalives_idle, tcp_keepalives_interval, or tcp_keepalives_count system variables is greater than the specified parameters.

  • UNKNOWN on errors,

  • CLOSED otherwise.

Note that setting the TCP options to 0 is valid too, as it would use the system defaults.

Return type

fluidasserts.Result

fluidasserts.db.postgresql.does_not_support_ssl(dbname, user, password, host, port)

Check if the server supports SSL connections.

Parameters
  • dbname (str) – database name.

  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if server does not allow SSL connections.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.postgresql.has_insecure_file_permissions(dbname, user, password, host, port)

Check if database’s data directory and log files have insecure permissions.

By default PostgreSQL set the data_directory file permissions (data_directory_mode) to 0700, and the generated log files permissions (log_file_mode) at log_directory/log_filename to 0600.

This file permissions are reasonable, and must be kept like that!

Parameters
  • dbname (str) – database name.

  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if data_directory_mode or log_file_mode are not set to 0700 and 0600.

  • UNKNOWN on errors,

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.postgresql.has_insecure_password_encryption(dbname, user, password, host, port)

Check if PostgreSQL implementation stores passwords using weak algorithms.

Commands like CREATE USER or ALTER USER use the algorithm specified in the system variable password_encryption to store the hashed username and password in the pg_shadow table.

Setting password_encryption to scram-sha-256. is suggested.

Parameters
  • dbname (str) – database name.

  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if password_encryption is not set to a strong algorithm.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.postgresql.has_insecurely_stored_passwords(dbname, user, password, host, port)

Check if database has passwords stored with a weak algorithm.

PostgreSQL stores the database users and passwords hashed in the pg_shadow table. This method will check if any of them is hashed with a weak algorithm, or even in plain text.

Parameters
  • dbname (str) – database name.

  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if some shadow record in the pg_shadow table is not using a strong digest algorithm.

  • UNKNOWN on errors,

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.postgresql.has_not_data_checksums_enabled(dbname, user, password, host, port)

Check if the PostgreSQL implementation has data checksums disabled.

Parameters
  • dbname (str) – database name.

  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if system variables data_checksums, and ignore_checksum_failure are not configured to guarantee data integrity.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.postgresql.has_not_logging_enabled(dbname, user, password, host, port)

Check if the PostgreSQL implementation logs all transactions.

Parameters
  • dbname (str) – database name.

  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if system variables logging_collector, log_statement, log_directory, and log_filename are not configured to log all database transactions, and other system variables as described in the check output are not set to the specified values.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.postgresql.have_access(dbname, user, password, host, port)

Check if the given connection parameters allow to connect to the database.

Parameters
  • dbname (str) – database name.

  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if we were able to connect to the database.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result