Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flyway logs passwords at INFO level #1620

Closed
chrylis opened this issue May 4, 2017 · 6 comments
Closed

Flyway logs passwords at INFO level #1620

chrylis opened this issue May 4, 2017 · 6 comments

Comments

@chrylis
Copy link

@chrylis chrylis commented May 4, 2017

I am using Flyway 3.2.1 with the latest release of Spring Boot, but this behavior appears to still be present in the current master.

I was rather surprised to see, on startup, that the username and password for my JDBC connection were printed to the console at INFO level:

INFO 7 --- [           main] o.f.c.i.dbsupport.DbSupportFactory       : Database: jdbc:postgresql://host/db?user=admin&password=<password> (PostgreSQL 9.5)

This is apparently automatic behavior, invoked automatically once per Flyway instance (the private field dbConnectionInfoPrinted is used solely to make this happen once), and is not configurable in any way.

I would suggest at a minimum custom-printing diagnostic information rather than dumping the entire connection string.

@axelfontaine
Copy link
Contributor

@axelfontaine axelfontaine commented May 6, 2017

Flyway logs the connection url. If you don't include the password in the url, but use the password property of your datasource, it will not appear.

Works as designed.

@chrylis
Copy link
Author

@chrylis chrylis commented May 8, 2017

The connection string is what is injected by most cloud systems, and logging it at INFO, which is the default output level for most loggers, is something that is surprising behavior. Since it's on by default (and actually not suppressable), it ought to require some overt action, such as setting logs to DEBUG.

@axelfontaine
Copy link
Contributor

@axelfontaine axelfontaine commented May 8, 2017

Which cloud system did you see this on?

@pvillega
Copy link

@pvillega pvillega commented May 28, 2017

This happens when using Heroku too. Logs show the full url with password.

Mind you, I'm using flyway.setDataSource(config.url, config.user, config.password) to set the configuration, so this is shown after building the full url.

Please default it to debug/trace level. This is unsafe.

@axelfontaine axelfontaine reopened this May 28, 2017
@axelfontaine axelfontaine added this to the Flyway 5.0.0 milestone May 28, 2017
@axelfontaine
Copy link
Contributor

@axelfontaine axelfontaine commented May 29, 2017

OK, so far this only seems to affect Heroku then.

@pvillega
Copy link

@pvillega pvillega commented May 29, 2017

Is it thought? I wonder as I specifically use:

flyway.setDataSource(config.url, config.user, config.password)

which is not Heroku specific as far as I know...

axelfontaine added a commit to flyway/flywaydb.org that referenced this issue Nov 27, 2017
dohrayme pushed a commit to dohrayme/flyway that referenced this issue Feb 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants