release-25.2: importer: sanitize cloud storage URIs in error messages

[blathers-crl]

Backport 1/1 commits from #164881 on behalf of @mw5h.

---

Summary

• Sanitize cloud storage URIs in readInputFiles error messages using
  cloud.SanitizeExternalStorageURI to strip credentials before including
  them in user-visible errors.
• Fixes three error paths: the "too many parsing errors" pgerror and both
  errors.Wrapf calls that annotate errors with the file path.

Resolves: #151884

Release note (bug fix): Fixed a bug where IMPORT error messages
could include unredacted cloud storage credentials from the source
URI. Credentials are now stripped from URIs before they appear in
error messages.

---

Release justification: Important security fix for an issue encountered by a customer.

[blathers-crl]

Thanks for opening a backport.

Before merging, please confirm that it falls into one of the following categories (select one):

• Non-production code changes OR fixes for serious issues. Non-production includes test-only changes, build system changes, etc. Serious issues are defined in the policy as correctness, stability, or security issues, data corruption/loss, significant performance regressions, breaking working and widely used functionality, or an inability to detect and debug production issues.
• Other approved changes. These changes must be gated behind a disabled-by-default feature flag unless there is a strong justification not to. Reference the approved ENGREQ ticket in the PR body (e.g., "Fixes ENGREQ-123").

Add a brief release justification to the PR description explaining your selection.

Also, confirm that the change does not break backward compatibility and complies with all aspects of the backport policy.

All backports must be reviewed by the TL and EM for the owning area.

[trunk-io]

😎 Merged directly without going through the merge queue, as the queue was empty and the PR was up to date with the target branch - details.

[blathers-crl]

It looks like your PR touches production code but doesn't add or edit any test code. Did you consider adding tests to your PR?

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[cockroach-teamcity]

This change is 

[michae2]

LGTM

[blathers-crl]

✅ PR #167948 is compliant with backport policy

Confidence: high
Critical bug criteria met: [Stability or security issues]
Backward compatible: true
Explanation: The pull request is compliant with the backport policy for several reasons. First, the PR includes a 'Release justification: Important security fix for an issue encountered by a customer', which is a valid justification under the policy, bypassing the need for feature flag requirement. Secondly, the changes address a critical security issue by sanitizing cloud storage URIs in error messages to prevent the exposure of credentials. This falls directly under the critical bug criteria, specifically addressing stability and security issues.

The changed file 'pkg/sql/importer/read_import_base.go' is a production file; however, critical security fixes do not require feature flag gating. The fixes improve the security posture of the system without breaking backward compatibility since they only alter the behavior of error message handling, ensuring credentials are not exposed. There is no evidence of removed version gates or incompatible changes, ensuring it preserves existing functionality. The changes are well-documented in the PR description, providing a high level of confidence in the assessment.

✅ ENGREQ Check Passed: No ENGREQ required (non-production code or serious issues).

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}