🐛 postgres: clean parse guard, dedupe DSN password, canonicalise include paths

Round of fixes from the PR #7927 review:

  * postgresql.conf parser canonicalises `path` via `filepath.Clean`
    before checking the cycle guard so equivalent spellings (`./foo`,
    `bar/../foo`, `foo`) collapse to the same key and self-referential
    include loops are caught.
  * `mqlPostgresqlConf.parse()` now guards on a dedicated `parsed bool`
    in the Internal struct instead of overloading `Params.State ==
    StateIsSet`. The old guard never matched the
    `StateIsSet|StateIsNull` value set on error/empty, so a transient
    failure would re-parse on every field access.
  * postgres provider: drop the leftover `var _ = errors.New` stubs in
    `resources/postgres.go` and `connection/connection.go` (and the
    unused `errors` import in connection). `errors.New` is used for
    real elsewhere; the suppression was unnecessary.
  * Replace the hand-rolled `strFromInt` helper with `strconv.Itoa` in
    `postgres.go` and remove the dead function.

The libpq key=value branch of `mergePasswordIntoDSN` already strips
existing `password=` tokens before appending the merged one, and the
URL branch uses `url.UserPassword(...)` which replaces (not appends)
the password — both are correct, no change needed there. The
`hbaRules` fallback still string-matches on `"rule_number"` rather
than type-asserting to a pgx error; refactoring that to inspect the
SQLSTATE on the pgx error is left as a follow-up since we don't
currently import a typed error interface in this file.

Signed-off-by: Tim Smith <tsmith84@gmail.com>

Author: tas50

providers/os/resources/postgresql.go

@@ -47,6 +47,12 @@ var postgresqlConfPaths = []string{
 
 type mqlPostgresqlConfInternal struct {
 	lock sync.Mutex
+	// parsed flips to true once parse() has run to completion (whether the
+	// outcome was data, empty, or an error). It's a dedicated flag rather
+	// than overloading `s.Params.State` because the empty- and error-paths
+	// set extra state bits (StateIsNull) that the previous equality guard
+	// failed to recognise as "already parsed", causing infinite re-parses.
+	parsed bool
 }
 
 func initPostgresqlConf(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) {
@@ -104,9 +110,13 @@ func (s *mqlPostgresqlConf) file() (*mqlFile, error) {
 func (s *mqlPostgresqlConf) parse(file *mqlFile) error {
 	s.lock.Lock()
 	defer s.lock.Unlock()
-	if s.Params.State == plugin.StateIsSet {
+	if s.parsed {
 		return nil
 	}
+	// Flip the guard before any early-return path so transient empty/error
+	// outcomes don't trigger an infinite re-parse loop on subsequent field
+	// accesses.
+	s.parsed = true
 
 	if file == nil {
 		s.setConfEmpty()

providers/os/resources/postgresql/parser.go

@@ -53,11 +53,15 @@ func ParseConf(path string, fileReader FileReader, dirLister func(dir string) ([
 }
 
 func parseConfRec(c *Conf, path string, fileReader FileReader, dirLister func(dir string) ([]string, error), visited map[string]bool) error {
-	abs := path
-	if visited[abs] {
+	// Canonicalise the path before checking the cycle guard so equivalent
+	// spellings (`./foo.conf` vs `conf.d/../foo.conf` vs `foo.conf`) collapse
+	// to the same key. Without this the recursive include detection would
+	// miss self-referential loops that walk through `..` segments.
+	key := filepath.Clean(path)
+	if visited[key] {
 		return nil
 	}
-	visited[abs] = true
+	visited[key] = true
 
 	content, err := fileReader(path)
 	if err != nil {
@@ -128,7 +132,7 @@ func parseConfRec(c *Conf, path string, fileReader FileReader, dirLister func(di
 // splitConfKV parses a single non-comment, non-blank postgresql.conf line
 // into a key and a value. PostgreSQL accepts either `key = value` or
 // `key value` (the `=` is optional). The value may be a bare token, a
-// number with a unit suffix, or a single-quoted string with `''` for an
+// number with a unit suffix, or a single-quoted string with `”` for an
 // embedded single quote.
 func splitConfKV(line string) (string, string, bool) {
 	// Find the end of the key — first whitespace or '='
@@ -149,7 +153,7 @@ func splitConfKV(line string) (string, string, bool) {
 }
 
 // unquoteConfValue strips surrounding single quotes from a postgresql.conf
-// value and resolves the `''` doubled-quote escape inside the string.
+// value and resolves the `”` doubled-quote escape inside the string.
 // Returned unchanged when the value isn't quoted.
 func unquoteConfValue(s string) string {
 	if len(s) < 2 || s[0] != '\'' {

providers/postgres/connection/connection.go

@@ -6,7 +6,6 @@ package connection
 import (
 	"context"
 	"database/sql"
-	"errors"
 	"net"
 	"net/url"
 	"strconv"
@@ -341,6 +340,3 @@ func (c *PostgresConnection) HostPort() string {
 	}
 	return net.JoinHostPort(host, strconv.Itoa(port))
 }
-
-// Ensure unused error variable does not break import.
-var _ = errors.New

providers/postgres/resources/postgres.go

@@ -16,9 +16,6 @@ import (
 	"go.mondoo.com/mql/v13/types"
 )
 
-// silence unused-import linting in case we trim later
-var _ = errors.New
-
 // id returns the cache key for the singleton postgresql resource. The asset
 // identity already encodes the host/port/database, so a static string is
 // stable and unique within the runtime.
@@ -808,32 +805,9 @@ func stringsToAny(in []string) []any {
 // blank (e.g. an error row from pg_hba_file_rules with no line context).
 func file_lineID(resource, file string, line int64, idx int) string {
 	if file == "" {
-		return resource + "/idx/" + strFromInt(idx)
-	}
-	return resource + "/" + file + ":" + strFromInt(int(line)) + "/" + strFromInt(idx)
-}
-
-func strFromInt(i int) string {
-	if i == 0 {
-		return "0"
-	}
-	neg := false
-	if i < 0 {
-		neg = true
-		i = -i
-	}
-	var buf [20]byte
-	pos := len(buf)
-	for i > 0 {
-		pos--
-		buf[pos] = byte('0' + i%10)
-		i /= 10
-	}
-	if neg {
-		pos--
-		buf[pos] = '-'
+		return resource + "/idx/" + strconv.Itoa(idx)
 	}
-	return string(buf[pos:])
+	return resource + "/" + file + ":" + strconv.Itoa(int(line)) + "/" + strconv.Itoa(idx)
 }
 
 // optionsListToMap turns the libpq-style ["key=value", "flag"] options array