-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid connection strings can cause credentials to leak to console #3145
Comments
Constructing the URI like that is incorrect. You need to escape the values via `encodeURIComponent(...):
That allows you to handle arbitrary characters in those fields and ensure the URI is always valid. |
I agree that it is incorrect. That doesn't change the fact that many places build URLs this way. I found this because Google's SQL can generate URLs like this that are invalid URLs, but the credentials in them would be leaked if used this way. That's one example, but there are many more. |
no DATABASE_URL coloquei apenas "postgresql://" resolveu meu problema |
Node: 16.14.2
PG: 8.11.3
The
connectionString
config is parsed byURL
in node. When that library has an invalid string, it will throw an error witherror.input
being the value provided. If you create a client without wrapping it in a try/catch, that error will be logged to the console. That means if the password causes makes the Postgres connection string an invalid URL, the credentials for your DB will leaked to the console.Here's a quick example:
The text was updated successfully, but these errors were encountered: