Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid connection strings can cause credentials to leak to console #3145

Open
pauls-ai2 opened this issue Feb 12, 2024 · 2 comments
Open

Invalid connection strings can cause credentials to leak to console #3145

pauls-ai2 opened this issue Feb 12, 2024 · 2 comments

Comments

@pauls-ai2
Copy link

Node: 16.14.2
PG: 8.11.3

The connectionString config is parsed by URL in node. When that library has an invalid string, it will throw an error with error.input being the value provided. If you create a client without wrapping it in a try/catch, that error will be logged to the console. That means if the password causes makes the Postgres connection string an invalid URL, the credentials for your DB will leaked to the console.

Here's a quick example:

const pg = require('pg');

const host = 'localhost';
const port = 5432;
const user = 'user';
const password = 'g#4624$@F$#v`';
const database = 'db';

const POSTGRES_URL = `postgres://${user}:${password}@${host}:${port}/${database}`;

const clientWorks = new pg.Client({
  host,
  port,
  user,
  password,
  database,
});

const clientFails = new pg.Client({
  connectionString: POSTGRES_URL,
});
node:internal/url:552
  throw new ERR_INVALID_URL(input);
  ^

TypeError [ERR_INVALID_URL]: Invalid URL
    at new NodeError (node:internal/errors:371:5)
    at onParseError (node:internal/url:552:9)
    at new URL (node:internal/url:628:5)
    at parse (/Users/<REDACTED>/sandbox/2024-02-11--pg-password-leak/node_modules/pg-connection-string/index.js:29:14)
    at new ConnectionParameters (/Users/<REDACTED>/sandbox/2024-02-11--pg-password-leak/node_modules/pg/lib/connection-parameters.js:56:42)
    at new Client (/Users/<REDACTED>/sandbox/2024-02-11--pg-password-leak/node_modules/pg/lib/client.js:18:33)
    at Object.<anonymous> (/Users/<REDACTED>/sandbox/2024-02-11--pg-password-leak/index.js:21:21)
    at Module._compile (node:internal/modules/cjs/loader:1103:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
    at Module.load (node:internal/modules/cjs/loader:981:32) {
  input: 'postgres://user:g#4624$@F$#v`@localhost:5432/db',
  code: 'ERR_INVALID_URL'
}
@sehrope
Copy link
Contributor

sehrope commented Feb 12, 2024

Constructing the URI like that is incorrect. You need to escape the values via `encodeURIComponent(...):

const POSTGRES_URL = `postgresql://${encodeURIComponent(user)}:${encodeURIComponent(password)}@${host}:${port}/${encodeURIComponent(database)}`;

That allows you to handle arbitrary characters in those fields and ensure the URI is always valid.

@pauls-ai2
Copy link
Author

I agree that it is incorrect. That doesn't change the fact that many places build URLs this way. I found this because Google's SQL can generate URLs like this that are invalid URLs, but the credentials in them would be leaked if used this way. That's one example, but there are many more.

@charmander charmander changed the title Passwords with "@" followed by special character can cause credentials to leak to console Invalid connection strings can cause credentials to leak to console Feb 13, 2024
@alxndrsn alxndrsn mentioned this issue Mar 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sehrope @pauls-ai2