Log message for database connection exposes the full URL that may contain plain text credentials

[jean553]

Q	A
Version	3.3.4

The doctrine channel records the following log when a connection is established to the database:

Connecting with parameters array{
    "url":"postgresql://username:PLAIN_TEXT_PASSWORD@hostname/database_name",
    "driver":"pdo_pgsql",
    "host":"hostname",
    "port":null,
    "user":"username",
    "password":"<redacted>",
    "driverOptions":[],
    "serverVersion":"12",
    "defaultTableOptions":[],
    "dbname":"database_name",
    "charset":"utf8"
}

Although the password field value is not visible (<redacted> instead), the password is visible in the url field (https://github.com/doctrine/dbal/blob/3.3.x/src/Logging/Driver.php#L31). Using an URL instead of individual DB parameters is valid though (https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#getting-a-connection).

This can be a security issue regarding where the logs are stored and who has access to those logs.

[allan-simon]

the url should be redacted (or at least the password part) or the log set to debug instead of info ?

[GCth]

Using URL is actually a recommended configuration for recent Symfony releases, so this will affect a large number of users.

Ideally, the passwords should never appear in logs, no matter the logging level.

Also I do not think this information belongs to the info level, as during normal application operation, it's unnecessary, filling the logs with repetitive contents. Therefore I recommend lowering it to debug.

[greg0ire]

Do we know what versions are affected? I suspect it affects many versions, but was revealed only recently by doctrine/DoctrineBundle#1456

IMO a good first step would be to unset url if present. Anybody up to the task? This could be done in

dbal/src/Logging/Driver.php

Lines 44 to 51 in e839cec

	private function maskPassword(array $params): array
	{
	if (isset($params['password'])) {
	$params['password'] = '<redacted>';
	}
	return $params;
	}

and tested in

dbal/tests/Logging/MiddlewareTest.php

Lines 37 to 58 in e839cec

	public function testConnectAndDisconnect(): void
	{
	$this->logger->expects(self::exactly(2))
	->method('info')
	->withConsecutive(
	[
	'Connecting with parameters {params}',
	[
	'params' => [
	'username' => 'admin',
	'password' => '<redacted>',
	],
	],
	],
	['Disconnecting', []],
	);
	$this->driver->connect([
	'username' => 'admin',
	'password' => 'Passw0rd!',
	]);
	}

[stof]

Do we know what versions are affected? I suspect it affects many versions, but was revealed only recently by doctrine/DoctrineBundle#1456

I suspect it affects only the new logging middleware, which would explain why it was revealed by that DoctrineBundle PR starting to use it in Symfony projects.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.