Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hide password in log #906

Closed
wants to merge 1 commit into from
Closed

Hide password in log #906

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 56 additions & 1 deletion martin/src/pg/pool.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ pub struct PgPool {
impl PgPool {
pub async fn new(config: &PgConfig) -> Result<Self> {
let conn_str = config.connection_string.as_ref().unwrap().as_str();
info!("Connecting to {conn_str}");
info!("Connecting to {}", hide_pwd(conn_str));
let (pg_cfg, ssl_mode) = parse_conn_str(conn_str)?;

let id = pg_cfg.get_dbname().map_or_else(
Expand Down Expand Up @@ -96,3 +96,58 @@ async fn get_conn(pool: &Pool, id: &str) -> Result<Object> {
.await
.map_err(|e| PostgresPoolConnError(e, id.to_string()))
}

fn hide_pwd(conn_string: &str) -> String {
let mut new_str = conn_string.to_owned();

if let Some(at_idx) = conn_string.find('@') {
if let Some(colon_idx) = &conn_string[..at_idx].find("://") {
if let Some(pwd_idx) = &conn_string[colon_idx + 3..at_idx].find(':') {
let start = pwd_idx + colon_idx + 4;
let end = at_idx;
new_str.replace_range(start..end, &"*".repeat(end - start));
}
}
} else if let Some(pwd_idx) = conn_string.find("password=") {
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems there's still a bug here

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no no, this is not a good way to do this. Regex is built specifically for this type of jobs, or a dedicated postgres connection string parser (which is part of the postgress connection lib, so hard to reuse in a better way). I did submit a better solution to this (IMO) - #907

In general for this type of issues, take a look at documentation -- I would use something like this, you can try it at https://rustexp.lpil.uk/

^postgres(?:ql)?://[^:@/?]+:([^:@/?]+)@ -- the password is captured as the first capture group

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not good at Regex actually I don't like Regex. So glad to see that there is a dedicated parser in other crate lib. Closed.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason I don't like Regex is it's easy to write hard to read later..

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's not that bad, and it does save you in many cases, so highly advise to embrace it ... sparingly! ;)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH, I don't think the code of this PR is easier to read / understand -- string parsing in code is notoriously non-trivial to understand either

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. I like your #907 🤜

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH, I don't think the code of this PR is easier to read / understand -- string parsing in code is notoriously non-trivial to understand either

TBH I'm exhausted to write this PR🤣

let start = pwd_idx + "password=".len();
let mut end = start;
while end < conn_string.len() - 1 && !conn_string[end..].starts_with('&') {
end += 1;
}
new_str.replace_range(start..end, &"*".repeat(end - start));
}
new_str
}
#[cfg(test)]
mod tests {
use super::*;

#[test]
fn test_hide_pwd() {
let conn_strs = [
"abcdefghij...xyz",
";@",
"password=",
"postgresql://localhost/mydb?k1=v1&k2=v2",
"postgresql://localhost/mydb?password=",
"postgresql://localhost/mydb?password=pwd123",
"postgresql://localhost/mydb?password=pwd123&key2=value2",
"postgresql://user@localhost:5432/mydb",
"postgresql://user:password@localhost:5432/mydb",
];
let expecteds = [
"abcdefghij...xyz",
";@",
"password=",
"postgresql://localhost/mydb?k1=v1&k2=v2",
"postgresql://localhost/mydb?password=",
"postgresql://localhost/mydb?password=******",
"postgresql://localhost/mydb?password=pwd123&key2=value2",
"postgresql://user@localhost:5432/mydb",
"postgresql://user:password@localhost:5432/mydb",
];
for (conn_str, expected) in conn_strs.iter().zip(expecteds.iter()) {
assert_eq!(hide_pwd(conn_str), *expected);
}
}
}