Participants
Zhihong Yu
Zhihong Yu
Tom Lane
Tom Lane
Julien Rouhaud
Julien Rouhaud
Attachments
Thread Outline
#1...#2
Zhihong YuTom Lane
Jul 23, 2022
#1Zhihong YuZhihong Yu
Jul 23, 2022
#2Tom LaneTom Laneto Zhihong Yu (#1)
Jul 24, 2022
#3Zhihong YuZhihong Yuto Tom Lane (#2)
Jul 24, 2022
#4...#5
Zhihong YuJulien Rouhaud
to Tom Lane (#2)
Jul 24, 2022
#4Zhihong YuZhihong Yuto Tom Lane (#2)
Jul 24, 2022
#5Julien RouhaudJulien Rouhaudto Zhihong Yu (#4)
Jul 24, 2022

redacting password in SQL statement in server log

Started by Zhihong Yuover 3 years ago5 messages
#1Zhihong Yu
Zhihong Yu
zyu@yugabyte.com
1 attachment(s)

Hi,
Currently, in situation such as duplicate role creation, the server log
would show something such as the following:

2022-07-22 13:48:18.251 UTC [330] STATEMENT: CREATE ROLE test WITH LOGIN
PASSWORD 'foobar';

The password itself should be redacted before logging the statement.

Here is sample output with the patch applied:

2022-07-23 23:28:20.359 UTC [16850] ERROR: role "test" already exists
2022-07-23 23:28:20.359 UTC [16850] STATEMENT: CREATE ROLE test WITH LOGIN
PASSWORD

Please take a look at the short patch.
I know variables should be declared at the start of the func - I can do
that once the approach is confirmed.

Cheers

Attachments:

redact-password-in-log.patchapplication/octet-stream; name=redact-password-in-log.patchDownload
diff --git a/src/backend/utils/error/elog.c b/src/backend/utils/error/elog.c
index 95f32de4e2..0c9c55cb30 100644
--- a/src/backend/utils/error/elog.c
+++ b/src/backend/utils/error/elog.c
@@ -2923,7 +2923,17 @@ send_message_to_server_log(ErrorData *edata)
 	{
 		log_line_prefix(&buf, edata);
 		appendStringInfoString(&buf, _("STATEMENT:  "));
-		append_with_tabs(&buf, debug_query_string);
+		char *query_str = (char *)debug_query_string;
+		const char *nlpos = strstr(debug_query_string, "PASSWORD ");
+		/*
+		 * Redact password, if password is specified
+		 */
+		if (nlpos != NULL)
+		{
+			query_str = pstrdup(debug_query_string);
+			query_str[nlpos - debug_query_string + 9] = '\0';
+		}
+		append_with_tabs(&buf, query_str);
 		appendStringInfoChar(&buf, '\n');
 	}
#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Zhihong Yu (#1)
Re: redacting password in SQL statement in server log

Zhihong Yu <zyu@yugabyte.com> writes:

Currently, in situation such as duplicate role creation, the server log
would show something such as the following:

2022-07-22 13:48:18.251 UTC [330] STATEMENT: CREATE ROLE test WITH LOGIN
PASSWORD 'foobar';

The password itself should be redacted before logging the statement.

This has been proposed multiple times, and rejected multiple times,
primarily because it offers only false security: you'll never cover
all the cases. (The proposed patch manages to create a bunch of
false positives to go along with its false negatives, too.)

The only safe answer is to be sure to keep the server log contents
secure. Please see prior discussions in the archives.

regards, tom lane

#3Zhihong Yu
Zhihong Yu
zyu@yugabyte.com
In reply to: Tom Lane (#2)
Re: redacting password in SQL statement in server log

On Sat, Jul 23, 2022 at 5:27 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:

Zhihong Yu <zyu@yugabyte.com> writes:

Currently, in situation such as duplicate role creation, the server log
would show something such as the following:

2022-07-22 13:48:18.251 UTC [330] STATEMENT: CREATE ROLE test WITH LOGIN
PASSWORD 'foobar';

The password itself should be redacted before logging the statement.

This has been proposed multiple times, and rejected multiple times,
primarily because it offers only false security: you'll never cover
all the cases. (The proposed patch manages to create a bunch of
false positives to go along with its false negatives, too.)

The only safe answer is to be sure to keep the server log contents
secure. Please see prior discussions in the archives.

regards, tom lane

Pardon my laziness.

I will pay more attention.

#4Zhihong Yu
Zhihong Yu
zyu@yugabyte.com
In reply to: Tom Lane (#2)
Re: redacting password in SQL statement in server log

On Sat, Jul 23, 2022 at 5:27 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:

Zhihong Yu <zyu@yugabyte.com> writes:

Currently, in situation such as duplicate role creation, the server log
would show something such as the following:

2022-07-22 13:48:18.251 UTC [330] STATEMENT: CREATE ROLE test WITH LOGIN
PASSWORD 'foobar';

The password itself should be redacted before logging the statement.

This has been proposed multiple times, and rejected multiple times,
primarily because it offers only false security: you'll never cover
all the cases. (The proposed patch manages to create a bunch of
false positives to go along with its false negatives, too.)

The only safe answer is to be sure to keep the server log contents
secure. Please see prior discussions in the archives.

regards, tom lane

Hi,
I am thinking of adding `if not exists` to `CREATE ROLE` statement:

CREATE ROLE trustworthy if not exists;

In my previous example, if the user can issue the above command, there
would be no SQL statement logged.

Do you think it is worth adding `if not exists` clause ?

Thanks

#5Julien Rouhaud
Julien Rouhaud
rjuju123@gmail.com
In reply to: Zhihong Yu (#4)
Re: redacting password in SQL statement in server log

Hi,

On Sun, Jul 24, 2022 at 04:33:59AM -0700, Zhihong Yu wrote:

I am thinking of adding `if not exists` to `CREATE ROLE` statement:

CREATE ROLE trustworthy if not exists;

In my previous example, if the user can issue the above command, there
would be no SQL statement logged.

It's not because there might not be an error that the password wouldn't end up
in the logs (log_statement, log_min_duration_statement, typo in the
command...).

Do you think it is worth adding `if not exists` clause ?

This has already been discussed and isn't wanted. You can refer to the last
discussion about that at:
/messages/by-id/CAOxo6XJy5_fUT4uDo2251Z_9whzu0JJGbtDgZKqZtOT9KhOKiQ@mail.gmail.com

← Back to Topics