Giters

brianc / node-postgres

PostgreSQL client for node.js.

Home Page:https://node-postgres.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Invalid connection strings can cause credentials to leak to console

pauls-ai2 opened this issue · comments

commented

Node: 16.14.2
PG: 8.11.3

The connectionString config is parsed by URL in node. When that library has an invalid string, it will throw an error with error.input being the value provided. If you create a client without wrapping it in a try/catch, that error will be logged to the console. That means if the password causes makes the Postgres connection string an invalid URL, the credentials for your DB will leaked to the console.

Here's a quick example:

const pg = require('pg');

const host = 'localhost';
const port = 5432;
const user = 'user';
const password = 'g#4624$@F$#v`';
const database = 'db';

const POSTGRES_URL = `postgres://${user}:${password}@${host}:${port}/${database}`;

const clientWorks = new pg.Client({
  host,
  port,
  user,
  password,
  database,
});

const clientFails = new pg.Client({
  connectionString: POSTGRES_URL,
});
node:internal/url:552
  throw new ERR_INVALID_URL(input);
  ^

TypeError [ERR_INVALID_URL]: Invalid URL
    at new NodeError (node:internal/errors:371:5)
    at onParseError (node:internal/url:552:9)
    at new URL (node:internal/url:628:5)
    at parse (/Users/<REDACTED>/sandbox/2024-02-11--pg-password-leak/node_modules/pg-connection-string/index.js:29:14)
    at new ConnectionParameters (/Users/<REDACTED>/sandbox/2024-02-11--pg-password-leak/node_modules/pg/lib/connection-parameters.js:56:42)
    at new Client (/Users/<REDACTED>/sandbox/2024-02-11--pg-password-leak/node_modules/pg/lib/client.js:18:33)
    at Object.<anonymous> (/Users/<REDACTED>/sandbox/2024-02-11--pg-password-leak/index.js:21:21)
    at Module._compile (node:internal/modules/cjs/loader:1103:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
    at Module.load (node:internal/modules/cjs/loader:981:32) {
  input: 'postgres://user:g#4624$@F$#v`@localhost:5432/db',
  code: 'ERR_INVALID_URL'
}
commented

Constructing the URI like that is incorrect. You need to escape the values via `encodeURIComponent(...):

const POSTGRES_URL = `postgresql://${encodeURIComponent(user)}:${encodeURIComponent(password)}@${host}:${port}/${encodeURIComponent(database)}`;

That allows you to handle arbitrary characters in those fields and ensure the URI is always valid.

commented

I agree that it is incorrect. That doesn't change the fact that many places build URLs this way. I found this because Google's SQL can generate URLs like this that are invalid URLs, but the credentials in them would be leaked if used this way. That's one example, but there are many more.