PostgreSQL server password included in tags. Security issue.

[wtfuzz]

The entire 'server' parameter is included in the tags of measurements sent by the plugin. This is a security concern as the password is transmitted in the clear.

Example shown here. I replaced my password with XXXXX.

$ telegraf -config /etc/telegraf/telegraf.conf -test |grep post
* Plugin: postgresql, Collection 1
> postgresql,db=pdns,server=postgres://telegraf:XXXXX@localhost/pdns?sslmode\=disable blk_read_time=0,blk_write_time=0,blks_hit=3518854i,blks_read=1130i,conflicts=0i,deadlocks=0i,numbackends=17i,temp_bytes=0i,temp_files=0i,tup_deleted=1i,tup_fetched=585944i,tup_inserted=558i,tup_returned=54061355i,tup_updated=61i,xact_commit=159798i,xact_rollback=2i 1457552702321056243
> postgresql,db=postgres,server=postgres://telegraf:XXXXX@localhost/pdns?sslmode\=disable buffers_alloc=2119i,buffers_backend=25i,buffers_backend_fsync=0i,buffers_checkpoint=128i,buffers_clean=0i,checkpoint_sync_time=7,checkpoint_write_time=11339,checkpoints_req=2i,checkpoints_timed=10351i,maxwritten_clean=0i 1457552702322387204

[sparrc]

agreed, someone once submitted a PR to fix this but then disappeared when I asked for some revisions. If anyone has time to port this: #490 it would be greatly appreciated :)

[menardorama]

Hi,

I'll try to have a look

[menardorama]

Hi,

The issue is fxed in #845 for legacy and new plugin

[vidushis17]

Hi I am trying to monitor one of my AWS RDS Postgres Database using the telegraf plugin for postgres.
I am using the https://github.com/influxdata/telegraf/tree/master/plugins/inputs/postgresql_extensible input plugin.
The metrics flow to Wavefront but the password gets exposed as a part of the server tag. I use simple string:
address = "host=next-tango-instance--..rds.amazonaws.com user=postgres sslmode=disable password =* "

Now this address comes as a point tag in Wavefront as server= host=next-tango-instance--..rds.amazonaws.com user=postgres sslmode=disable password =* which essentially exposes my password in the dashboards.

I have seen that a fix has been provided by in #845 but this requires me to specify the address via url matching and whenever I try to do it for example like:
address = postgresql://postgres:xyz@next-tango-instance-..us--2.rds.amazonaws.com

The metrics stop coming. And the telegraf client throws an exception saying:
2020-08-03T17:14:01Z E! [telegraf] Error running agent: Error parsing /etc/telegraf/telegraf.conf, line 16: invalid TOML syntax

Can someone help me here?