Skip to content

Commit

Permalink
Redact password from query_options
Browse files Browse the repository at this point in the history
to avoid leaking credentials in exceptions via #inspect

Closes #1049
  • Loading branch information
flavorjones committed Sep 21, 2023
1 parent 79f78f9 commit 508cd3e
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 0 deletions.
4 changes: 4 additions & 0 deletions lib/mysql2/client.rb
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,10 @@ def initialize(opts = {})
warn "============= END WARNING FROM mysql2 ========="
end

# avoid logging sensitive data via #inspect
@query_options.delete(:password)
@query_options.delete(:pass)

user = opts[:username] || opts[:user]
pass = opts[:password] || opts[:pass]
host = opts[:host] || opts[:hostname]
Expand Down
19 changes: 19 additions & 0 deletions spec/mysql2/client_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -1173,4 +1173,23 @@ def run_gc
it "should respond to #encoding" do
expect(@client).to respond_to(:encoding)
end

it "should not include the password in the output of #inspect" do
client_class = Class.new(Mysql2::Client) do
def connect(*args)
end
end

client = client_class.new(password: "secretsecret")

expect(client.inspect).not_to include("password")
expect(client.inspect).not_to include("secretsecret")

expect do
client = client_class.new(pass: "secretsecret")
end.to output(/WARNING/).to_stderr

expect(client.inspect).not_to include("pass")
expect(client.inspect).not_to include("secretsecret")
end
end

0 comments on commit 508cd3e

Please sign in to comment.