From 508cd3e09011edb111467be9551b5a38e31737e0 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Thu, 21 Sep 2023 17:50:55 -0400
Subject: [PATCH] Redact password from query_options

to avoid leaking credentials in exceptions via #inspect

Closes #1049
---
 lib/mysql2/client.rb       |  4 ++++
 spec/mysql2/client_spec.rb | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/lib/mysql2/client.rb b/lib/mysql2/client.rb
index 582b6e30..485158ad 100644
--- a/lib/mysql2/client.rb
+++ b/lib/mysql2/client.rb
@@ -78,6 +78,10 @@ def initialize(opts = {})
         warn "============= END WARNING FROM mysql2 ========="
       end
 
+      # avoid logging sensitive data via #inspect
+      @query_options.delete(:password)
+      @query_options.delete(:pass)
+
       user     = opts[:username] || opts[:user]
       pass     = opts[:password] || opts[:pass]
       host     = opts[:host] || opts[:hostname]
diff --git a/spec/mysql2/client_spec.rb b/spec/mysql2/client_spec.rb
index 14f446df..0698cb60 100644
--- a/spec/mysql2/client_spec.rb
+++ b/spec/mysql2/client_spec.rb
@@ -1173,4 +1173,23 @@ def run_gc
   it "should respond to #encoding" do
     expect(@client).to respond_to(:encoding)
   end
+
+  it "should not include the password in the output of #inspect" do
+    client_class = Class.new(Mysql2::Client) do
+      def connect(*args)
+      end
+    end
+
+    client = client_class.new(password: "secretsecret")
+
+    expect(client.inspect).not_to include("password")
+    expect(client.inspect).not_to include("secretsecret")
+
+    expect do
+      client = client_class.new(pass: "secretsecret")
+    end.to output(/WARNING/).to_stderr
+
+    expect(client.inspect).not_to include("pass")
+    expect(client.inspect).not_to include("secretsecret")
+  end
 end