From 508cd3e09011edb111467be9551b5a38e31737e0 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Thu, 21 Sep 2023 17:50:55 -0400 Subject: [PATCH] Redact password from query_options to avoid leaking credentials in exceptions via #inspect Closes #1049 --- lib/mysql2/client.rb | 4 ++++ spec/mysql2/client_spec.rb | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/lib/mysql2/client.rb b/lib/mysql2/client.rb index 582b6e305..485158ada 100644 --- a/lib/mysql2/client.rb +++ b/lib/mysql2/client.rb @@ -78,6 +78,10 @@ def initialize(opts = {}) warn "============= END WARNING FROM mysql2 =========" end + # avoid logging sensitive data via #inspect + @query_options.delete(:password) + @query_options.delete(:pass) + user = opts[:username] || opts[:user] pass = opts[:password] || opts[:pass] host = opts[:host] || opts[:hostname] diff --git a/spec/mysql2/client_spec.rb b/spec/mysql2/client_spec.rb index 14f446df9..0698cb600 100644 --- a/spec/mysql2/client_spec.rb +++ b/spec/mysql2/client_spec.rb @@ -1173,4 +1173,23 @@ def run_gc it "should respond to #encoding" do expect(@client).to respond_to(:encoding) end + + it "should not include the password in the output of #inspect" do + client_class = Class.new(Mysql2::Client) do + def connect(*args) + end + end + + client = client_class.new(password: "secretsecret") + + expect(client.inspect).not_to include("password") + expect(client.inspect).not_to include("secretsecret") + + expect do + client = client_class.new(pass: "secretsecret") + end.to output(/WARNING/).to_stderr + + expect(client.inspect).not_to include("pass") + expect(client.inspect).not_to include("secretsecret") + end end