Commit 7ab5923

authored

Redact input URL string to prevent console printing (#3486)

1 parent 6b016b3 commit 7ab5923Copy full SHA for 7ab5923

File tree

+30

-5

lines changed

+30

-5

lines changed

Lines changed: 10 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,11 +23,16 @@ function parse(str, options = {}) {`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`try {`
`26`		`- result = new URL(str, 'postgres://base')`
`27`		`- } catch (e) {`
`28`		`- // The URL is invalid so try again with a dummy host`
`29`		`- result = new URL(str.replace('@/', '@___DUMMY___/'), 'postgres://base')`
`30`		`- dummyHost = true`
	`26`	`+ try {`
	`27`	`+ result = new URL(str, 'postgres://base')`
	`28`	`+ } catch (e) {`
	`29`	`+ // The URL is invalid so try again with a dummy host`
	`30`	`+ result = new URL(str.replace('@/', '@___DUMMY___/'), 'postgres://base')`
	`31`	`+ dummyHost = true`
	`32`	`+ }`
	`33`	`+ } catch (err) {`
	`34`	`+ // Remove the input from the error message to avoid leaking sensitive information`
	`35`	`+ err.input && (err.input = '***REDACTED***')`
`31`	`36`	`}`
`32`	`37`
`33`	`38`	`// We'd like to use Object.fromEntries() here but Node.js 10 does not support it`

Lines changed: 20 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -315,6 +315,26 @@ describe('parse', function () {`
`315`	`315`	`}).to.throw()`
`316`	`316`	`})`
`317`	`317`
	`318`	`+ it('when throwing on invalid url does not print out the password in the error message', function () {`
	`319`	`+ const host = 'localhost'`
	`320`	`+ const port = 5432`
	`321`	`+ const user = 'user'`
	`322`	+ const password = 'g#4624$@F$#v`'
	`323`	`+ const database = 'db'`
	`324`	`+`
	`325`	+ const connectionString = `postgres://${user}:${password}@${host}:${port}/${database}`
	`326`	`+ expect(function () {`
	`327`	`+ parse(connectionString)`
	`328`	`+ }).to.throw()`
	`329`	`+ try {`
	`330`	`+ parse(connectionString)`
	`331`	`+ } catch (err: unknown) {`
	`332`	`+ expect(JSON.stringify(err)).to.not.include(password, 'Password should not be in the error message')`
	`333`	`+ return`
	`334`	`+ }`
	`335`	`+ throw new Error('Expected an error to be thrown')`
	`336`	`+ })`
	`337`	`+`
`318`	`338`	`it('configuration parameter sslmode=verify-ca and sslrootcert with uselibpqcompat query param', function () {`
`319`	`339`	`const connectionString = 'pg:///?sslmode=verify-ca&uselibpqcompat=true&sslrootcert=' + __dirname + '/example.ca'`
`320`	`340`	`const subject = parse(connectionString)`

Comments

(0)