Skip to content

Commit

Permalink
fix(log): don"t print querylog target password when using a database
Browse files Browse the repository at this point in the history
  • Loading branch information
@ThinkChaos
ThinkChaos committed Apr 2, 2024
1 parent 28f979f commit 2c6b704
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 1 deletion.
29 changes: 28 additions & 1 deletion config/query_log.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
package config

import (
"net/url"
"strings"

"github.com/sirupsen/logrus"
)

Expand Down Expand Up @@ -32,7 +35,7 @@ func (c *QueryLog) LogConfig(logger *logrus.Entry) {
logger.Infof("type: %s", c.Type)

if c.Target != "" {
logger.Infof("target: %s", c.Target)
logger.Infof("target: %s", c.censoredTarget())
}

logger.Infof("logRetentionDays: %d", c.LogRetentionDays)
Expand All @@ -41,3 +44,27 @@ func (c *QueryLog) LogConfig(logger *logrus.Entry) {
logger.Infof("flushInterval: %s", c.FlushInterval)
logger.Infof("fields: %s", c.Fields)
}

func (c *QueryLog) censoredTarget() string {
// Make sure there's a scheme, otherwise the user is parsed as the scheme
targetStr := c.Target
if !strings.Contains(targetStr, "://") {
targetStr = c.Type.String() + "://" + targetStr
}

target, err := url.Parse(targetStr)
if err != nil {
return c.Target
}

if target.User == nil {
return c.Target
}

// Drop the password since special chars like * get URL escaped
if pass, hasPass :=target.User.Password(); hasPass {
return strings.Replace(target.String(), pass, strings.Repeat("*", len(pass)), 1)
}

return target.String()
}
15 changes: 15 additions & 0 deletions config/query_log_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,21 @@ var _ = Describe("QueryLogConfig", func() {
Expect(hook.Calls).ShouldNot(BeEmpty())
Expect(hook.Messages).Should(ContainElement(ContainSubstring("logRetentionDays:")))
})

DescribeTable("doesn't print the target password", func(target string) {
cfg.Type = QueryLogTypeMysql
cfg.Target = target

cfg.LogConfig(logger)

Expect(hook.Calls).ShouldNot(BeEmpty())
Expect(hook.Messages).ShouldNot(ContainElement(ContainSubstring("password")))
},
Entry("without scheme", "user:password@localhost"),
Entry("with scheme", "scheme://user:password@localhost"),
Entry("no password", "localhost"),
Entry("not a URL", "invalid!://"),
)
})

Describe("SetDefaults", func() {
Expand Down

0 comments on commit 2c6b704

Please sign in to comment.