DB passwords can be accidentally leaked through logs

[castarco]

Disclaimer: I'm reporting this problem here because there are no public policies on how to report security problems. I would have preferred doing this privately.

Environment

Knex version: 2.4.2
Database + version: MySQL, PostgreSQL, MSSQL (I didn't test with others. DB version does not have any effect)
OS: Mac OS X, Linux

Bug

1. Explain what kind of behaviour you are getting and how you think it should do:

   const query = knex('myTable').select('*');
   logger.debug({ query }) // passwords are leaked here
   
   // For a more realistic case:
   try {
     const result = await query
     return result
   } catch (err) {
     logger.error({ err, query }, 'Unknown Error while performing query') // passwords are leaked here
   }

   The previous code should not leak passwords through the logs, but it does 😢 .
   In our case, the logger was Pino, this problem doesn't necessarily happen with other loggers (as they might use different
   serialisation methods).

2. Error message: There is no error message

3. Reduced test code:

   // This new test could be placed in `test/integration2/query/misc/additional.spec.js`
   it('should not leak passwords when logged', async function () {
      const util = require('util')
      const query = knex('test_table_two').select('*');
      const fakeLog = util.inspect(query, { depth: null });
      const passwordMatches = fakeLog.match(
        /(knextest|testpassword|S0meVeryHardPassword|testrootpassword)/g
      );
   
      expect(passwordMatches).to.be.null;
   });

[Eomm]

I'd like to share a parameter that might help resolve this issue:
https://knexjs.org/guide/#compilesqlonerror

[castarco]

@Eomm that's really useful, thx.

[OlivierCavadenti]

Released in 2.5.0