Vulnerabilities fix

.github/workflows/build.yaml

@@ -15,7 +15,7 @@ on:
 
 env:
   TAG_NAME: ${{ github.event.release.tag_name || github.ref }}
-  PUSH: ${{ github.event_name != 'workflow_dispatch' || inputs.publish_docker }}
+  PUSH: ${{ (github.event_name != 'workflow_dispatch' || inputs.publish_docker) && github.actor != 'dependabot[bot]' }}
 
 jobs:
   multiplatform_build:

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.22.5-alpine3.19 as builder
+FROM --platform=$BUILDPLATFORM golang:1.22.5-alpine3.19 AS builder
 
 ENV GO111MODULE=on
 
@@ -41,7 +41,7 @@ RUN apt-get --no-install-recommends install -y comerr-dev \
                        postgresql-13 postgresql-14 postgresql-15 postgresql-16 \
                        jq \
                        openssl curl  
-RUN python3 -m pip install -U setuptools 
+RUN python3 -m pip install -U setuptools==70.0.0 
 RUN python3 -m pip install --no-cache-dir -r /root/requirements.txt \
       && python3 -m pip install --upgrade pip \
       && python3 -m pip install grpcio \
@@ -56,7 +56,7 @@ RUN python3 -m pip install --no-cache-dir -r /root/requirements.txt \
 
 RUN ln -s /usr/bin/python3 /usr/bin/python
 
-COPY --from=builder --chown=${USER_UID} /workspace/_output/bin/azure_restore /opt/backup/
+COPY --from=builder /workspace/_output/bin/azure_restore /opt/backup/
 COPY docker/postgres/ docker/health.sh /opt/backup/
 COPY docker/granular /opt/backup/granular
 COPY docker/postgres/encryption.py /opt/backup/granular/encryption.py

docker/granular/pg_restore.py

@@ -630,8 +630,8 @@ def grant_connect_for_external_pg(self, roles_backup_path, db_name):
                     conn.autocommit = True
                     with conn.cursor() as cur:
                         cur.execute(
-                            "SELECT 'ALTER TABLE '||schemaname||'.'||tablename||' OWNER TO {};' FROM pg_tables "
-                            "WHERE NOT schemaname IN ('pg_catalog', 'information_schema')".format(role_name))
+                            "SELECT 'ALTER TABLE '||schemaname||'.'||tablename||' OWNER TO \"%(role)s\";' FROM pg_tables "
+                            "WHERE NOT schemaname IN ('pg_catalog', 'information_schema')", {"role": AsIs(role_name)})
                         alter_roles = [r[0] for r in cur.fetchall()]
                         for alter_role in alter_roles:
                             self.log.debug(self.log_msg("Try execute command: %s" % alter_role))
@@ -642,8 +642,8 @@ def grant_connect_for_external_pg(self, roles_backup_path, db_name):
                                                            "ERROR: {}".format(alter_role, e)))
 
                         cur.execute("SELECT 'ALTER SEQUENCE '||sequence_schema||'.'||sequence_name||' OWNER TO "
-                                    "{};' FROM information_schema.sequences WHERE NOT sequence_schema "
-                                    "IN ('pg_catalog', 'information_schema')".format(role_name))
+                                    "\"%(role)s\";' FROM information_schema.sequences WHERE NOT sequence_schema "
+                                    "IN ('pg_catalog', 'information_schema')", {"role": AsIs(role_name)})
                         alter_sequences = [r[0] for r in cur.fetchall()]
                         for alter_sequence in alter_sequences:
                             self.log.debug(self.log_msg("Try execute command: %s" % alter_sequence))
@@ -653,9 +653,9 @@ def grant_connect_for_external_pg(self, roles_backup_path, db_name):
                                 self.log.info(self.log_msg("ERROR ALTER SEQUENCE. Command: {} "
                                                            "ERROR: {}".format(alter_sequence, e)))
 
-                        cur.execute("SELECT 'ALTER VIEW '||table_schema||'.'||table_name ||' OWNER TO {};' "
+                        cur.execute("SELECT 'ALTER VIEW '||table_schema||'.'||table_name ||' OWNER TO \"%(role)s\";' "
                                     "FROM information_schema.views WHERE NOT table_schema "
-                                    "IN ('pg_catalog', 'information_schema')".format(role_name))
+                                    "IN ('pg_catalog', 'information_schema')", {"role": AsIs(role_name)})
                         alter_views = [r[0] for r in cur.fetchall()]
                         for alter_view in alter_views:
                             self.log.debug(self.log_msg("Try execute command: %s" % alter_view))
@@ -664,10 +664,11 @@ def grant_connect_for_external_pg(self, roles_backup_path, db_name):
                             except Exception as e:
                                 self.log.info(self.log_msg("ERROR ALTER VIEW. Command: {} "
                                                            "ERROR: {}".format(alter_view, e)))
-                        cur.execute("GRANT {} TO {};".format(role_name, configs.postgresql_user()))
+                        cur.execute("GRANT \"%(role)s\" TO \"%(admin)s\";", {"role": AsIs(role_name),
+                                                                             "admin": AsIs(configs.postgresql_user())})
                         try:
                             cur.execute(
-                                "ALTER ROLE {} WITH LOGIN;".format(role_name))
+                                "ALTER ROLE \"%(role)s\" WITH LOGIN;", {"role": AsIs(role_name)})
                         except Exception as e:
                             self.log.info(self.log_msg("ERROR ALTER ROLE {} WITH LOGIN "
                                                        "ERROR: {}".format(role_name, e)))