Closed
Description
Node: 16.14.2
PG: 8.11.3
The connectionString config is parsed by URL in node. When that library has an invalid string, it will throw an error with error.input being the value provided. If you create a client without wrapping it in a try/catch, that error will be logged to the console. That means if the password causes makes the Postgres connection string an invalid URL, the credentials for your DB will leaked to the console.
Here's a quick example:
const pg = require('pg');
const host = 'localhost';
const port = 5432;
const user = 'user';
const password = 'g#4624$@F$#v`';
const database = 'db';
const POSTGRES_URL = `postgres://${user}:${password}@${host}:${port}/${database}`;
const clientWorks = new pg.Client({
host,
port,
user,
password,
database,
});
const clientFails = new pg.Client({
connectionString: POSTGRES_URL,
});node:internal/url:552
throw new ERR_INVALID_URL(input);
^
TypeError [ERR_INVALID_URL]: Invalid URL
at new NodeError (node:internal/errors:371:5)
at onParseError (node:internal/url:552:9)
at new URL (node:internal/url:628:5)
at parse (/Users/<REDACTED>/sandbox/2024-02-11--pg-password-leak/node_modules/pg-connection-string/index.js:29:14)
at new ConnectionParameters (/Users/<REDACTED>/sandbox/2024-02-11--pg-password-leak/node_modules/pg/lib/connection-parameters.js:56:42)
at new Client (/Users/<REDACTED>/sandbox/2024-02-11--pg-password-leak/node_modules/pg/lib/client.js:18:33)
at Object.<anonymous> (/Users/<REDACTED>/sandbox/2024-02-11--pg-password-leak/index.js:21:21)
at Module._compile (node:internal/modules/cjs/loader:1103:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
at Module.load (node:internal/modules/cjs/loader:981:32) {
input: 'postgres://user:g#4624$@F$#v`@localhost:5432/db',
code: 'ERR_INVALID_URL'
}
Metadata
Metadata
Assignees
Labels
No labels