Summary
database_dsn redacts the user:pass@ userinfo prefix correctly but leaves query parameter values verbatim, even when a query parameter has a known-secret key (password, client_secret, etc.). Surfaced by multi-param query tests added during corpus authoring (#54).
mask.Apply("database_dsn", "root:secret@tcp(localhost:3306)/db?charset=utf8mb4&password=other&parseTime=true")
// Got: "****:****@tcp(localhost:3306)/db?charset=utf8mb4&password=other&parseTime=true"
// ^^^^^^^^^^^^^^ leaks
// Want: "****:****@tcp(localhost:3306)/db?charset=utf8mb4&password=****&parseTime=true"Requirements
- Rule label:
database_dsn (see docs/v0.9.0-requirements.md).
- Reuse the existing
secretQueryKeys map and isSecretKey helper from rules_technology.go — the same OAuth/cloud secret set already curated for connection_string after #70.
- Preserve all other DSN parameters (
charset, parseTime, loc, tls, timeout, interpolateParams, etc.) verbatim.
Acceptance criteria
maskDatabaseDSN walks the ?param=value&... tail after the database name and redacts the value of any key whose lowercase, percent-decoded form matches secretQueryKeys.- Userinfo redaction continues unchanged.
- Unit cases in
rules_technology_test.go cover: secret param alone, secret + non-secret mix, multiple secrets, secret at start/middle/end, repeated keys, JDBC-style and tcp-style DSNs.
- Corpus fixtures in
tests/corpus/database_dsn.txt pin the redacted output.
Testing requirements
- New table-driven test
TestApply_DatabaseDSN_QueryParamSecrets with at least 10 cases.
- BDD scenario
Scenario Outline: redacts secret query parameters in DSN form in tests/bdd/features/technology.feature.
- Corpus generator at
tests/corpus/gen/database_dsn.go extended to emit DSNs with secret query parameters.
Documentation requirements
RuleInfo.Description for database_dsn updated to mention the secret query parameter redaction.- CHANGELOG.md Unreleased / Security entry referencing this issue.
Dependencies
None. Reuses the existing infrastructure from #70.
Surfaced by
#54 (corpus harness — multi-param connection_string test pinned the comparable behaviour for connection_string; database_dsn pin test in the same PR documents the current gap).
Summary
database_dsnredacts theuser:pass@userinfo prefix correctly but leaves query parameter values verbatim, even when a query parameter has a known-secret key (password,client_secret, etc.). Surfaced by multi-param query tests added during corpus authoring (#54).Requirements
database_dsn(seedocs/v0.9.0-requirements.md).secretQueryKeysmap andisSecretKeyhelper fromrules_technology.go— the same OAuth/cloud secret set already curated forconnection_stringafter #70.charset,parseTime,loc,tls,timeout,interpolateParams, etc.) verbatim.Acceptance criteria
maskDatabaseDSNwalks the?param=value&...tail after the database name and redacts the value of any key whose lowercase, percent-decoded form matchessecretQueryKeys.rules_technology_test.gocover: secret param alone, secret + non-secret mix, multiple secrets, secret at start/middle/end, repeated keys, JDBC-style and tcp-style DSNs.tests/corpus/database_dsn.txtpin the redacted output.Testing requirements
TestApply_DatabaseDSN_QueryParamSecretswith at least 10 cases.Scenario Outline: redacts secret query parameters in DSN formintests/bdd/features/technology.feature.tests/corpus/gen/database_dsn.goextended to emit DSNs with secret query parameters.Documentation requirements
RuleInfo.Descriptionfordatabase_dsnupdated to mention the secret query parameter redaction.Dependencies
None. Reuses the existing infrastructure from #70.
Surfaced by
#54 (corpus harness — multi-param connection_string test pinned the comparable behaviour for connection_string; database_dsn pin test in the same PR documents the current gap).