Emit a warning when database URL is pasted directly into the schema

[millsp]

Problem

It should generally be considered a bad practice to paste a private database URL into the schema directly. If the user commits that schema by accident somewhere, or deploys it somewhere, they will be exposed to a security risk.

Suggested solution

I suggest that we emit a warning on prisma generate (maybe others too?) when we detect any URL that isn't pointing to localhost or 127.0.0.1 is pasted in the schema. This way, we can raise awareness around security and suggest users to either use .env or environment variables.

[algora-pbc]

💎 $50 bounty created by prisma
🙋 If you start working on this, comment /attempt #17640 to notify everyone
👉 To claim this bounty, submit a pull request that includes the text /claim #17640 somewhere in its body
📝 Before proceeding, please make sure you can receive payouts in your country
💵 Payment arrives in your account 2-5 days after the bounty is rewarded
💯 You keep 100% of the bounty award
🙏 Thank you for contributing to prisma/prisma!

Attempt	Started (GMT+0)	Solution
🟢 @mnmt7	Sep 4, 2023, 8:40:43 AM	WIP
🟢 @kunal00000		#20942

[mnmt7]

/attempt #17640

Options

• Cancel my attempt

[algora-pbc]

💡 @kunal00000 submitted a pull request that claims the bounty. You can visit your org dashboard to reward.

[petradonka]

Hi @kunal00000 👋 Thank you for opening the PR 🙌

As we reviewed your PR, we have noticed that the warning we had intended to show up when you run prisma generate with a private database URL in your schema was already present. That's a miss on us, we had another issue tracking that work, and didn't close this one when we completed it.

We really appreciate the time and effort you've put into this though, and would still like to recognize that with rewarding you the bounty, as you were our first bounty-hunter! 🌟

[algora-pbc]

🎉🎈 @kunal00000 has been awarded $50! 🎈🎊

[janpio]

This was implemented as part of #20731, which was shipped with release 5.2.0.

[kunal00000]

Hi @petradonka, thank you for your kindness 🙏. Would you like to get this done in other commands too (as I saw that it was not present in the prisma migrate dev command).

[janpio]

No, we intentionally only want a warning in prisma generate because that is the only command that actually persists a hard coded value in the generated Client. For migrate dev we feel that having a hard coded URL is a valid use case, and if you go into dangerous territory with prisma generate - you will get the warning.

We might tighten that later, but for now we are waiting for feedback on this level of deterrant of putting a plain connection string.