From 5b14a1208c45a9913d36d1fc1d69d15c59fa2f9a Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Sat, 6 Mar 2021 12:31:38 +0100
Subject: [PATCH] Ensure port is a string in psql command

In 841187b0ec29726c0fe39ea2ad710a5ead42d2e0 a shell execution
vulnerability was fixed by passing an array. In my environment (Debian
10, Ruby 2.5, Puppet 5) it was failing because port was an Integer and
command execution only allows Strings. This explicitly converts the port
to a string.

Fixes: 841187b0ec29726c0fe39ea2ad710a5ead42d2e0
---
 lib/puppet/provider/postgresql_psql/ruby.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/puppet/provider/postgresql_psql/ruby.rb b/lib/puppet/provider/postgresql_psql/ruby.rb
index 715d9b5273..1cfbbca094 100644
--- a/lib/puppet/provider/postgresql_psql/ruby.rb
+++ b/lib/puppet/provider/postgresql_psql/ruby.rb
@@ -15,7 +15,7 @@ def run_sql_command(sql)
 
     command = [resource[:psql_path]]
     command.push('-d', resource[:db]) if resource[:db]
-    command.push('-p', resource[:port]) if resource[:port]
+    command.push('-p', resource[:port].to_s) if resource[:port]
     command.push('-t', '-X', '-c', sql)
 
     environment = fetch_environment