Add SensitiveDataMasker to exceptions messages #42940
Conversation
robot-ch-test-poll
added
the
pr-improvement
filimonov
added
the
can be tested
| , remote(remote_) | ||
| { | ||
| handle_error_code(msg, code, remote, getStackFramePointers()); | ||
| handle_error_code(msg_masked.msg, code, remote, getStackFramePointers()); |
There was a problem hiding this comment.
I've implemented a different solution recently, which is based on a AST tree, not on regular expressions, so my solution is going to work better for more various cases like s3(url, key, secret_key) or CREATE USER IDENTIFIER WITH password. But it seems I forgot to cover this case in my solution, so I'll still have to improve it. I'd prefer to take your test but use that my solution with replacings in AST tree. Ok?
There was a problem hiding this comment.
I'm not sure if it can really be done 100% safe on AST level...
Imagine you can't parse the query correctly, but it have sensitive data, or that sensitive data does not come from the query at all. So i think that those 'sensitivedatamaster' is still needed (and also it's ok to have some predefined stuff on AST level)
And test - sure you can reuse it.
There was a problem hiding this comment.
I didn't suggest to remove the regular expression approach. In my opinion it's better to use both: first hardcoded wiping based on AST and then customizable wiping based on regexp.
filimonov
force-pushed
the
exceptions_with_masker
branch
from
988d42e
to
19d39d7
Compare
Changelog category (leave one):
Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):
Allow to remove sensitive information from the exception messages also. Resolves #41418