Skip to content
This repository has been archived by the owner on May 5, 2020. It is now read-only.

Scrub passwords from error output #81

Merged
merged 5 commits into from Jul 18, 2018
Merged

Scrub passwords from error output #81

merged 5 commits into from Jul 18, 2018

Conversation

mkenney
Copy link
Contributor

@mkenney mkenney commented Jul 13, 2018

This is in reference to #79.

@mkenney
Copy link
Contributor Author

mkenney commented Jul 13, 2018

There's an s3 credentials error in the build trying to fetch the instantclient.

tgulacsi
tgulacsi reviewed Jul 14, 2018
View reviewed changes
Copy link
Contributor

@tgulacsi tgulacsi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A String method for ConnectionParams would be better.

tgulacsi
tgulacsi suggested changes Jul 14, 2018
View reviewed changes
Copy link
Contributor

@tgulacsi tgulacsi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A String method on ConnectionParams would be better and more general.

@mkenney
Copy link
Contributor Author

mkenney commented Jul 14, 2018
edited
Loading

@tgulacsi, ConnectionParams does have a String method which is what's being used for the error output (which is the root of the issue).

I agree the two things should be separate, and I don't particularly like intercepting and sanitizing the flow this way, but it also smells bad to do to much more around scoping here as suggested by @veqryn without being more familiar with the consequences for downstream projects.

My only goal is to prevent unexpected or unintended output of sensitive data. I thought about maybe adding an error or even an Error method. Error feels weird, making ConnectionParams an error, but an unexported error or sanitizedString method might make more sense. Thoughts?

@tgulacsi
Copy link
Contributor

I wanted to say that changing line 535 of drv.go from

User:   url.UserPassword(P.Username, P.Password),

to

User:   url.UserPassword(P.Username, "***"),

would be enough, wouldn't it?

@tgulacsi
Copy link
Contributor

Oops, and everywhere where password is printed, logged, errored: lines 447, 458, 481, 492, 535 of drv.go.

@mkenney
Copy link
Contributor Author

mkenney commented Jul 18, 2018

Ahh, I see. Ok, I'll take a closer look and push up a change. Thanks!

@mkenney
Copy link
Contributor Author

mkenney commented Jul 18, 2018

So it looks like ConnectionParams.string is used for both logging and creating the actual connection string so changing 535 to User: url.UserPassword(P.Username, "***"), will break some things unless I'm missing something.

I'll find those cases (there might just be the one) and split them out to use another method or maybe add a param to the string method...

@tgulacsi
Copy link
Contributor

Where is ConnectionParam.String (or string) used for the connection?

@mkenney
Copy link
Contributor Author

mkenney commented Jul 18, 2018
edited
Loading

It's in openConn.

I pushed up a change that I think will cover all the bases without breaking anything. I chose SECRET as the password replacement string instead of asterisks because url.UserPassword url encodes the string making the asterisks %2A which feels odd.

Please let me know what you think. The change makes the default behavior password sanitation, if you want the plaintext password there's a second (variadic) parameter you have to pass true to. I.E.

// Sanitized
P.string(true)
P.string(false)

// Plaintext
P.string(true, true)
P.string(false, true)

tgulacsi
tgulacsi suggested changes Jul 18, 2018
View reviewed changes
drv.go Outdated
@@ -446,7 +444,7 @@ func (d *drv) openConn(P ConnectionParams) (*conn, error) {
if P.IsSysDBA || P.IsSysOper {
dc := C.malloc(C.sizeof_void)
if Log != nil {
Log("C", "dpiConn_create", "username", P.Username, "password", P.Password, "sid", P.SID, "common", commonCreateParams, "conn", connCreateParams)
Log("C", "dpiConn_create", "username", P.Username, "password", "SECRET", "sid", P.SID, "common", commonCreateParams, "conn", connCreateParams)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just delete the printing of "password", and its value - this provides no information.

drv.go Outdated
@@ -457,7 +455,7 @@ func (d *drv) openConn(P ConnectionParams) (*conn, error) {
&connCreateParams,
(**C.dpiConn)(unsafe.Pointer(&dc)),
) == C.DPI_FAILURE {
return nil, errors.Wrapf(d.getError(), "username=%q password=%q sid=%q params=%+v", P.Username, P.Password, P.SID, connCreateParams)
return nil, errors.Wrapf(d.getError(), "username=%q password=%q sid=%q params=%+v", P.Username, "SECRET", P.SID, connCreateParams)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just leave it out.

drv.go Outdated
@@ -480,7 +478,7 @@ func (d *drv) openConn(P ConnectionParams) (*conn, error) {

var dp *C.dpiPool
if Log != nil {
Log("C", "dpiPool_create", "username", P.Username, "password", P.Password, "sid", P.SID, "common", commonCreateParams, "pool", poolCreateParams)
Log("C", "dpiPool_create", "username", P.Username, "password", "SECRET", "sid", P.SID, "common", commonCreateParams, "pool", poolCreateParams)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just leave it out.

drv.go Outdated
@@ -492,7 +490,7 @@ func (d *drv) openConn(P ConnectionParams) (*conn, error) {
(**C.dpiPool)(unsafe.Pointer(&dp)),
) == C.DPI_FAILURE {
return nil, errors.Wrapf(d.getError(), "username=%q password=%q SID=%q minSessions=%d maxSessions=%d poolIncrement=%d extAuth=%d ",
P.Username, strings.Repeat("*", len(P.Password)), P.SID,
P.Username, "SECRET", P.SID,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just leave it out.

drv.go Outdated
@@ -364,12 +364,12 @@ func (d *drv) openConn(P ConnectionParams) (*conn, error) {
}

c := conn{drv: d, connParams: P}
connString := P.StringNoClass()
connString := P.string(false, true)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need a new pool per-password, so we don't need the password in the connString, so we don't need the second parameter in P.string.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, in that case I don't think the second param is needed at all and string can always leave out the password. I'll push an update shortly.

@mkenney
Copy link
Contributor Author

mkenney commented Jul 18, 2018

Ok, I made those updates and connections look good in my test script. Let me know what you think, thanks!

@tgulacsi tgulacsi merged commit 65f0503 into go-goracle:master Jul 18, 2018
@tgulacsi
Copy link
Contributor

Thanks for your hard work!

@mkenney
Copy link
Contributor Author

mkenney commented Jul 18, 2018

Awesome, thank you for your help!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@tgulacsi tgulacsi tgulacsi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mkenney @tgulacsi