Sensitive data printed despite the `show_sensitive_data_on_connection_error: false` flag

[luigi-discoup]

Hi everyone 👋

I'm having some db connection error lately and even though the Ecto Repo configuration sets:

show_sensitive_data_on_connection_error: false

the error message includes credentials (username and password) in plaintext, in the connection arguments:

Task #PID<0.3781.0> started from #PID<0.3183.0> terminating
** (DBConnection.ConnectionError) ssl recv: closed
    (postgrex 0.21.1) lib/postgrex.ex:347: Postgrex.query!/4
    (db_connection 2.8.1) lib/db_connection.ex:956: DBConnection.run/3
    (db_connection 2.8.1) lib/db_connection/task.ex:30: DBConnection.Task.init/3
    (elixir 1.18.4) lib/task/supervised.ex:101: Task.Supervised.invoke_mfa/2
    (elixir 1.18.4) lib/task/supervised.ex:36: Task.Supervised.reply/4
Process Label: "db_after_connect_task"
Function: &DBConnection.Task.init/3
    Args: [{Postgrex, :query!, ["SET search_path TO ***, public", []]}, #PID<0.3183.0>, [timeout: 15000, pool_index: 6, types: Postgrex.DefaultTypes, port: 5432, pool: DBConnection.ConnectionPool, repo: Core.Repo, telemetry_prefix: [:core, :repo], otp_app: :core, timeout: 15000, migration_timestamps: [type: :utc_datetime], ssl: [verify: :verify_none], pool_size: 20, socket_options: [], stacktrace: false, show_sensitive_data_on_connection_error: false, after_connect: {Postgrex, :query!, ["SET search_path TO ***, public", []]}, parameters: [application_name: "***"], hostname: "***.***.rds.amazonaws.com", scheme: "ecto", username: "***", password: "***", database: "***"]]

I manually redacted the values above, in the original error, credentials are fully visible.

Is this an expected behaviour?

Environment

• Elixir: 1.18.4 (compiled with Erlang/OTP 27)
• Ecto: 3.13.4
• EctoSQL: 3.13.2
• DBConnection: 2.8.1
• Postgrex: 0.21.1

[greg-rychlewski]

Hey @luigi-discoup ,

Thanks for the report. The issue is that the option does not apply to after_connect but this is by design. So we pushed a fix to "forget" the options with sensitive information so they are not logged.

The issue is that you are still in danger of the actual after_connect query being logged because it can be any random query. And it wouldn't really be possible for us to inspect the query text to figure out if the user might want anything removed.

Luckily for your situation there is a workaround if you don't want the search path logged. You can use parameters: [search_path: "my_search_path"] instead of an after connect query if you wanted. Then it won't be logged.

[luigi-discoup]

Hi @greg-rychlewski, thank you very much!

I didn't know the search_path parameter, but I will definitely use it, thanks again!

I wonder if it would be useful to update this documentation page to use parameters: [search_path: "my_search_path"] instead of after_connect in the example:

- query_args = ["SET search_path TO connection_prefix", []]

config :my_app, MyApp.Repo,
  username: "postgres",
  password: "postgres",
  database: "demo_dev",
  hostname: "localhost",
  pool_size: 10,
- after_connect: {Postgrex, :query!, query_args}
+ parameters: [search_path: "connection_prefix"]

[greg-rychlewski]

@luigi-discoup I think that makes sense. Because using after_connect to do this also has some gotchas like this: elixir-ecto/postgrex#619

Would you be interested in submitting a PR for that change?

[luigi-discoup]

Yes, absolutely! I’ll open a PR with my personal profile as soon as possible