Skip to content

Add automatic SCRAM-SHA-256 password escaping and comprehensive documentation #797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add automatic SCRAM-SHA-256 password escaping and comprehensive documentation #797

wants to merge 7 commits into from

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Sep 11, 2025
edited
Loading

  • Add automatic SCRAM-SHA-256 password escaping and comprehensive documentation
  • Address code scanning alerts for incomplete string escaping
  • Use nil_or_empty? function for password validation check as suggested in code review
  • Fix backslash escaping in SCRAM-SHA-256 password handling
  • Fix markdownlint issues in SCRAM-SHA-256 documentation

Changes

This PR addresses the SCRAM-SHA-256 password handling issue where $ characters in password hashes were being mangled during SQL execution, causing authentication failures.

Key improvements:

  • Automatic Detection: The cookbook detects passwords starting with SCRAM-SHA-256
  • Transparent Escaping: $ characters are automatically escaped as \$ to prevent shell interpretation
  • Proper Backslash Escaping: Fixed excessive backslash escaping from \\\\\\\\ to proper \\\\ for SQL safety
  • Backward Compatible: Only affects SCRAM-SHA-256 passwords; all other formats remain unchanged
  • Code Quality: Used existing nil_or_empty? utility function for cleaner password validation
  • Documentation Quality: Fixed all markdownlint issues for proper documentation formatting

Solution

Users can now simply write:

postgresql_role 'user1' do
  encrypted_password 'SCRAM-SHA-256$4096:salt$key:server'
  action [:create, :update]
end

The cookbook automatically escapes the password for safe SQL execution.

Testing

Verified that:

  • SCRAM-SHA-256 passwords are properly escaped (both $ and \ characters)
  • All existing password formats (MD5, plain text, etc.) remain unchanged
  • Integration test successfully creates users with SCRAM-SHA-256 passwords
  • Backslash escaping uses proper SQL escaping (not excessive escaping)
  • Documentation passes all markdownlint checks

Fixes #703.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 11, 2025
View reviewed changes
@Copilot Copilot AI changed the title [WIP] SCRAM-SHA-256 documentation Add automatic SCRAM-SHA-256 password escaping and comprehensive documentation Sep 11, 2025
@Copilot Copilot AI requested a review from damacus September 11, 2025 23:18
Copilot finished work on behalf of damacus September 11, 2025 23:18
@ramereth @github-advanced-security
Potential fix for code scanning alert no. 5: Incomplete string escapi…
e86ab3b 
…ng or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 12, 2025
View reviewed changes
@damacus damacus marked this pull request as ready for review September 14, 2025 16:16
@damacus damacus requested a review from a team as a code owner September 14, 2025 16:16
@bmhughes @github-advanced-security
Potential fix for code scanning alert no. 6: Incomplete string escapi…
3d40e50 
…ng or encoding

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 14, 2025
View reviewed changes
bmhughes
bmhughes reviewed Sep 14, 2025
View reviewed changes
libraries/sql/role.rb Outdated
end

def escape_password_for_sql(password)
return password if password.nil? || password.empty?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Use nil_or_empty? function for this check

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to use nil_or_empty? function for the password check as suggested. The change replaces password.nil? || password.empty? with the more concise nil_or_empty?(password). Commit: 9e7b3d4

@Copilot Copilot AI requested a review from bmhughes September 14, 2025 17:26
Copilot finished work on behalf of bmhughes September 14, 2025 17:26
bmhughes
bmhughes previously approved these changes Sep 14, 2025
View reviewed changes
@bmhughes bmhughes added Bug Something isn't working Release: Patch Release to Chef Supermarket as a version patch when merged labels Sep 14, 2025
bmhughes
bmhughes reviewed Sep 14, 2025
View reviewed changes
libraries/sql/role.rb Outdated
# SCRAM-SHA-256 passwords contain $ characters that can be interpreted
# by shell or string processing. Escape them to prevent mangling.
if password.start_with?('SCRAM-SHA-256')
password.gsub('\\', '\\\\\\\\').gsub("'", "''").gsub('$', '\\$')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Update this to escape backslash characters please

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed the backslash escaping from excessive \\\\\\\\ (8 backslashes) to proper \\\\ (4 backslashes) for correct SQL escaping. Commit: 6b2f5c7

bmhughes
bmhughes reviewed Sep 14, 2025
View reviewed changes
bmhughes
bmhughes reviewed Sep 14, 2025
View reviewed changes
documentation/scram-sha-256.md Outdated
## Password Format

SCRAM-SHA-256 passwords have this specific format:
```
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Specific the code block language as ruby to statisfy markdownlink MD040

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Specified code block language as text to satisfy markdownlint MD040. Commit: 623bf6e

bmhughes
bmhughes reviewed Sep 14, 2025
View reviewed changes
documentation/scram-sha-256.md Outdated
```

Example:
```
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Specific the code block language as ruby to statisfy markdownlink MD040

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Specified code block language as text to satisfy markdownlint MD040. Commit: 623bf6e

bmhughes
bmhughes reviewed Sep 14, 2025
View reviewed changes
bmhughes
bmhughes reviewed Sep 14, 2025
View reviewed changes
@Copilot @bmhughes
Fix backslash escaping in SCRAM-SHA-256 password handling
f743322 
Changed from excessive \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ (8 backslashes) to proper \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ (4 backslashes) for SQL escaping.
Each backslash in the original password is now correctly escaped as \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ (2 backslashes) in the result.

Co-authored-by: bmhughes <[email protected]>
@Copilot Copilot AI requested a review from bmhughes September 14, 2025 17:40
Copilot finished work on behalf of bmhughes September 14, 2025 17:40
Copilot finished work on behalf of bmhughes September 14, 2025 17:44
@github-actions GitHub Actions
Copy link

Slowest examples

Top 10 slowest examples (0.01 seconds, 51.45% of total time)
Example Description Time in seconds
spec/libraries/helpers_spec.rb:19 PostgreSQL::Cookbook::Helpers#data_dir(version) with rhel family and Postgres 11 from repo returns the correct path 0.01272
spec/libraries/role_spec.rb:70 PostgreSQL::Cookbook::SqlHelpers::Role #escape_password_for_sql with edge cases handles nil passwords 0.00318
spec/libraries/helpers_spec.rb:27 PostgreSQL::Cookbook::Helpers#data_dir(version) with rhel family and Postgres 11 from os returns the correct path 0.00039
spec/libraries/helpers_spec.rb:111 PostgreSQL::Cookbook::Helpers#default_platform_service_name(version) with debian family and Postgres 11 from repo returns the correct service name 0.00037
spec/libraries/helpers_spec.rb:57 PostgreSQL::Cookbook::Helpers#conf_dir(version) with rhel family and Postgres 11 from repo returns the correct path 0.00037
spec/libraries/helpers_spec.rb:119 PostgreSQL::Cookbook::Helpers#default_platform_service_name(version) with debian family and Postgres 15 from os returns the correct service name 0.00037
spec/libraries/helpers_spec.rb:43 PostgreSQL::Cookbook::Helpers#data_dir(version) with debian family and Postgres 11 from os returns the correct path 0.00034
spec/libraries/helpers_spec.rb:73 PostgreSQL::Cookbook::Helpers#conf_dir(version) with debian family and Postgres 14 from repo returns the correct path 0.00034
spec/libraries/helpers_spec.rb:119 PostgreSQL::Cookbook::Helpers#default_platform_service_name(version) with debian family and Postgres 12 from os returns the correct service name 0.00034
spec/libraries/helpers_spec.rb:81 PostgreSQL::Cookbook::Helpers#conf_dir(version) with debian family and Postgres 12 from os returns the correct path 0.00034

@github-actions GitHub Actions
Copy link

Slowest examples

Top 10 slowest examples (0.01 seconds, 50.85% of total time)
Example Description Time in seconds
spec/libraries/helpers_spec.rb:19 PostgreSQL::Cookbook::Helpers#data_dir(version) with rhel family and Postgres 11 from repo returns the correct path 0.01233
spec/libraries/role_spec.rb:70 PostgreSQL::Cookbook::SqlHelpers::Role #escape_password_for_sql with edge cases handles nil passwords 0.00304
spec/libraries/helpers_spec.rb:111 PostgreSQL::Cookbook::Helpers#default_platform_service_name(version) with debian family and Postgres 15 from repo returns the correct service name 0.00035
spec/libraries/helpers_spec.rb:57 PostgreSQL::Cookbook::Helpers#conf_dir(version) with rhel family and Postgres 15 from repo returns the correct path 0.00035
spec/libraries/helpers_spec.rb:95 PostgreSQL::Cookbook::Helpers#default_platform_service_name(version) with rhel family and Postgres 12 from repo returns the correct service name 0.00035
spec/libraries/helpers_spec.rb:119 PostgreSQL::Cookbook::Helpers#default_platform_service_name(version) with debian family and Postgres 11 from os returns the correct service name 0.00034
spec/libraries/helpers_spec.rb:103 PostgreSQL::Cookbook::Helpers#default_platform_service_name(version) with rhel family and Postgres 11 from os returns the correct service name 0.00034
spec/libraries/helpers_spec.rb:27 PostgreSQL::Cookbook::Helpers#data_dir(version) with rhel family and Postgres 11 from os returns the correct path 0.00034
spec/libraries/helpers_spec.rb:19 PostgreSQL::Cookbook::Helpers#data_dir(version) with rhel family and Postgres 15 from repo returns the correct path 0.00034
spec/libraries/helpers_spec.rb:119 PostgreSQL::Cookbook::Helpers#default_platform_service_name(version) with debian family and Postgres 13 from os returns the correct service name 0.00034

@damacus
Copy link
Member

damacus commented Sep 15, 2025

This is ready to release. But I'm going to move it over to the new release workflow before releasing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bmhughes bmhughes bmhughes approved these changes

@damacus damacus Awaiting requested review from damacus

Assignees

@damacus damacus

Copilot code review Copilot

Labels

Bug Something isn't working Release: Patch Release to Chef Supermarket as a version patch when merged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SCRAM-SHA-256 documentation

4 participants

@Copilot @damacus @bmhughes @ramereth