On connection failure logs are leaking secrets

[sisidra]

What happens?

Attaching to Postgres using secrets will leak secret information in logs on failure.

To Reproduce

CREATE SECRET (
      TYPE postgres,
      PASSWORD 'MySecret'
  );
ATTACH '' AS pgdb (TYPE postgres);

IO Error:
Unable to connect to Postgres at password='MySecret' : connection to server on socket "/tmp/.s.PGSQL.5432" failed: No such file or directory
Is the server running locally and accepting connections on that socket?

OS:

MacOS

PostgreSQL Version:

DuckDB Version:

1.3.2

DuckDB Client:

CLI, Python

Full Name:

Mārtiņš Kalvāns

Affiliation:

NymTech

Have you tried this on the latest main branch?

• I agree

Have you tried the steps to reproduce? Do they include all relevant data and configuration? Does the issue you report still appear there?

• I agree

[apognu]

This is a really security concern, where the only solution is to either swallow errors, or haphazardly sanitize raw string errors and hope for the best.

[jorinvo]

We also just ran into this. Happens, both, when directly passing a connection string to ATTACH and when using a secret.

Is there any way we can help to get this resolved in the extension directly?

Thank you 🙏

[sisidra]

When I glanced at the code, it seemed like it is fixable in extension only. It is a bit involved, as would mean to pass around split parameters - direct and secret separately and then combine before connecting and error-log only direct ones.
Does not seem extreamly hard, but also not super-trivial for me myself.

[kyzyl]

Has this gotten any attention internally? It's pretty dangerous to leak credentials like this, for databases of all things. We're forced to suppress all errors during connect/attach in CI pipelines, which is not helpful when things go wrong.

Attempting to sanitize manually will easily break if the error message changes at all, and what's worse probably nobody will notice if it does. For example, if attaching via the ducklake extension, the error message is slightly different.

For open source projects, this could mean publishing full database connection strings to the Github Actions tab...

[guillesd]

Hi there!

Yes we are looking into this! Sorry for the delay!

[jorinvo]

Thank you so much @Mytherin @guillesd! Great to see this fixed 🙏