Skip to content

fix(database_dsn): rejects tcp6/tcp4/unix/udp Go MySQL DSN protocols #83

Closed
#91
Closed
fix(database_dsn): rejects tcp6/tcp4/unix/udp Go MySQL DSN protocols#83
#91
Labels
P1ImportantbugSomething isn't working
@millerjp

Description

@millerjp
millerjp
opened on May 15, 2026

Summary

The database_dsn rule recognises the tcp(...) protocol in Go MySQL DSN format but fails closed on other valid protocols including tcp6(...), tcp4(...), unix(...), and udp(...).

admin:secret@tcp6([2001:db8::88]:3306)/users fully redacts to asterisks instead of redacting only the userinfo. IPv6 MySQL deployments and unix-socket connections are common; fail-closed leaves users with garbage output.

Surfaced during the post-#54 corpus audit (dozens of IPv6/unix-socket fixtures pinned fail-closed).

Requirements

  1. The DSN protocol-pattern matcher must accept tcp, tcp4, tcp6, unix, udp followed by (addr).
  2. Each protocol behaves the same way: userinfo redacted to ****:****@, protocol+addr+database preserved.
  3. Add table-driven unit cases for each protocol.
  4. Update or add BDD scenarios for tcp6 and unix (name: Scenario: database_dsn redacts userinfo across Go MySQL protocols).
  5. Regenerate the corpus.
  6. CHANGELOG entry under Unreleased / Fixed.

Acceptance criteria

  1. admin:secret@tcp6([2001:db8::88]:3306)/users -> ****:****@tcp6([2001:db8::88]:3306)/users
  2. admin:secret@tcp4(127.0.0.1:3306)/db -> ****:****@tcp4(127.0.0.1:3306)/db
  3. admin:secret@unix(/var/run/mysqld/mysqld.sock)/db -> ****:****@unix(/var/run/mysqld/mysqld.sock)/db
  4. admin:secret@udp(host:3306)/db -> ****:****@udp(host:3306)/db
  5. Query-string secret-redaction from feat(database_dsn): redact secret query parameter values #72 still works on every protocol: tcp6(...)/db?password=other redacts both userinfo and password param
  6. Existing tcp(...) behaviour unchanged (regression-free)
  7. Corpus regeneration drops the IPv6 / unix-socket fail-closed fixtures and replaces them with structure-preserving outputs
  8. Regression test TestApply_DatabaseDSN_GoMySQLProtocols named
  9. make check green

Testing requirements

  • Unit: TestApply_DatabaseDSN_GoMySQLProtocols (table-driven; one case per protocol + query-string-secret integration)
  • BDD: Scenario: database_dsn redacts userinfo across Go MySQL protocols
  • Corpus: regeneration drops the tcp6(...) / unix(...) fail-closed pins

Documentation requirements

  • Update docs/rules.md for database_dsn to list every supported Go MySQL protocol token.
  • Update godoc on the rule.

Dependencies

None. (Builds on #72 query-string secret redaction, already merged.)

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1ImportantbugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions