-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Remove password from stringified outputs (#2066)
* Remove password from stringified outputs Theres a security concern where if you're not careful and you include your client or pool instance in console.log or stack traces it might include the database password. To widen the pit of success I'm making that field non-enumerable. You can still get at it...it just wont show up "by accident" when you're logging things now. The backwards compatiblity impact of this is very small, but it is still technically somewhat an API change so...8.0. * Implement feedback * Fix more whitespace the autoformatter changed * Simplify code a bit * Remove password from stringified outputs (#2070) * Keep ConnectionParameters’s password property writable `Client` writes to it when `password` is a function. * Avoid creating password property on pool options when it didn’t exist previously. * Allow password option to be non-enumerable to avoid breaking uses like `new Pool(existingPool.options)`. * Make password property definitions consistent in formatting and configurability. Co-authored-by: Charmander <~@charmander.me>
- Loading branch information
1 parent
c909aa6
commit 31eaa05
Showing
6 changed files
with
74 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,3 +7,4 @@ package-lock.json | |
*.swp | ||
dist | ||
.DS_Store | ||
.vscode/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
|
||
"use strict" | ||
const helper = require('./../test-helper') | ||
const assert = require('assert') | ||
const util = require('util') | ||
|
||
const suite = new helper.Suite() | ||
|
||
const password = 'FAIL THIS TEST' | ||
|
||
suite.test('Password should not exist in toString() output', () => { | ||
const pool = new helper.pg.Pool({ password }) | ||
const client = new helper.pg.Client({ password }) | ||
assert(pool.toString().indexOf(password) === -1); | ||
assert(client.toString().indexOf(password) === -1); | ||
}) | ||
|
||
suite.test('Password should not exist in util.inspect output', () => { | ||
const pool = new helper.pg.Pool({ password }) | ||
const client = new helper.pg.Client({ password }) | ||
const depth = 20; | ||
assert(util.inspect(pool, { depth }).indexOf(password) === -1); | ||
assert(util.inspect(client, { depth }).indexOf(password) === -1); | ||
}) | ||
|
||
suite.test('Password should not exist in json.stringfy output', () => { | ||
const pool = new helper.pg.Pool({ password }) | ||
const client = new helper.pg.Client({ password }) | ||
const depth = 20; | ||
assert(JSON.stringify(pool).indexOf(password) === -1); | ||
assert(JSON.stringify(client).indexOf(password) === -1); | ||
}) |