Skip to content

Escape PostgreSQL connection string whitespace#7787

Merged
rickbrouwer merged 1 commit into
kedacore:mainfrom
zroubalik:fix-postgresql-connstring-whitespace-7784
May 27, 2026
Merged

Escape PostgreSQL connection string whitespace#7787
rickbrouwer merged 1 commit into
kedacore:mainfrom
zroubalik:fix-postgresql-connstring-whitespace-7784

Conversation

@zroubalik

@zroubalik zroubalik commented May 26, 2026

Copy link
Copy Markdown
Member

Escapes PostgreSQL scaler generated keyword/value connection string parameters more defensively.

Generated connection strings previously quoted parameters only when they contained a literal space. This now quotes values containing any whitespace and escapes quote/backslash characters so user-provided values cannot split into additional connection parameters.

Checklist

  • Tests have been added (if applicable)
  • Changelog has been updated and is aligned with our changelog requirements, only when the change impacts end users
  • Commits are signed with Developer Certificate of Origin (DCO - learn more)

Fixes #7784

@snyk-io

snyk-io Bot commented May 26, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@github-actions

Copy link
Copy Markdown

Thank you for your contribution! 🙏

Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected.

While you are waiting, make sure to:

  • Add an entry in our changelog in alphabetical order and link related issue
  • Update the documentation, if needed
  • Add unit & e2e tests for your changes
  • GitHub checks are passing
  • Is the DCO check failing? Here is how you can fix DCO issues

Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient.

Learn more about our contribution guide.

@keda-automation keda-automation requested review from a team May 26, 2026 14:38
@zroubalik zroubalik marked this pull request as ready for review May 26, 2026 14:41
@zroubalik

zroubalik commented May 26, 2026

Copy link
Copy Markdown
Member Author

/run-e2e postgres
Update: You can check the progress here

passed tests: 3
Execution of tests/scalers/postgresql/azure_postgresql_flex_server_aad_wi/azure_postgresql_flex_server_aad_wi_test.go, has passed after "one" attempts
Execution of tests/scalers/postgresql/postgresql_standalone/postgresql_test.go, has passed after "one" attempts
Execution of tests/scalers/postgresql/postgresql_high_available/postgresql_ha_test.go, has passed after "one" attempts
failed tests: 0

@zroubalik zroubalik mentioned this pull request May 26, 2026
22 tasks
@zroubalik zroubalik added the required:keda-v2.20 This is absolutely mandatory to bring along label May 26, 2026
@zroubalik zroubalik requested a review from Copilot May 26, 2026 14:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the PostgreSQL scaler’s generated keyword/value connection strings to prevent parameter injection via whitespace and quote/backslash characters, addressing issue #7784.

Changes:

  • Update connection-parameter escaping to quote values containing any whitespace and to escape single quotes/backslashes.
  • Add unit tests covering whitespace and quote/backslash escaping, plus an end-to-end connection-string generation case.
  • Document the behavior change in the changelog.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
pkg/scalers/postgresql_scaler.go Strengthens connection parameter escaping to safely quote/escape whitespace and quote/backslash characters.
pkg/scalers/postgresql_scaler_test.go Adds focused tests for the escaping helper and connection string generation behavior with whitespace.
CHANGELOG.md Notes the PostgreSQL scaler change for end users.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@rickbrouwer rickbrouwer added the Awaiting/2nd-approval This PR needs one more approval review label May 26, 2026
@rickbrouwer rickbrouwer removed the Awaiting/2nd-approval This PR needs one more approval review label May 27, 2026
@rickbrouwer rickbrouwer merged commit 703de9d into kedacore:main May 27, 2026
27 checks passed
shcherbak pushed a commit to shcherbak/keda that referenced this pull request Jun 3, 2026
Signed-off-by: Zbynek Roubalik <[email protected]>
Signed-off-by: Yurii Shcherbak <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

required:keda-v2.20 This is absolutely mandatory to bring along

Projects

None yet

Development

Successfully merging this pull request may close these issues.

PostgreSQL scaler generated connection strings do not quote all whitespace

4 participants