search

microsoft / go-mssqldb

Microsoft SQL server driver written in go language
BSD 3-Clause "New" or "Revised" License
283 stars 63 forks source link

`conn.Query*` might return error that contains connection credentials #219

Open jzhn opened 1 month ago

jzhn commented 1 month ago

Describe the bug

When the connection string is malformed, go-mssqldb might return an error that contains the username and password, which might be logged by the caller and cause credentials leak.

This is caused by a late url.Parse call which might include the entire connection URL in the error message.

Stack trace

url.Parse (url.go:478) net/url
msdsn.splitConnectionStringURL (conn_str.go:631) github.com/microsoft/go-mssqldb/msdsn
msdsn.getDsnParams (conn_str.go:272) github.com/microsoft/go-mssqldb/msdsn
msdsn.Parse (conn_str.go:291) github.com/microsoft/go-mssqldb/msdsn
mssql.(*Driver).open (mssql.go:410) github.com/microsoft/go-mssqldb
mssql.(*Driver).Open (mssql.go:77) github.com/microsoft/go-mssqldb
sql.dsnConnector.Connect (sql.go:791) database/sql
<autogenerated>:2
sql.(*DB).conn (sql.go:1415) database/sql
sql.(*DB).query (sql.go:1749) database/sql
sql.(*DB).QueryContext.func1 (sql.go:1732) database/sql
sql.(*DB).retry (sql.go:1566) database/sql
sql.(*DB).QueryContext (sql.go:1731) database/sql
sql.(*DB).Query (sql.go:1745) database/sql

Steps to reproduce

func (suite *MssqlDBTestSuite) TestConnectionCredentialsLeak() {
    conn, err := sql.Open("mssql", "sqlserver://username:password@[foo].bar:1433?database=foo&encrypt=true&ssl=require")
    suite.NoError(err)

    _, err = conn.Query("select 1")
    suite.NoError(err)
}

Actual behaviour

the error returned from conn.Query reveals the connection credentials

Error:          Received unexpected error:
                            parse "sqlserver://username:password@[foo].bar:1433?database=foo&encrypt=true&ssl=require": invalid port ".bar:1433" after host

Expected behaviour

The error does not include credentials (username/password)

Further technical details

SQL Server version: doesn't matter. this error happens on the client side. Operating system: macOS 14.5 on M1 CPU Table schema: doesn't matter. this error happens on the client side.

Notes

The issue happens when the caller provides a malformed connection string. However, it's still undesirable for go-mssqldb to return an error that could lead to the leak of connection credentials. Especially that the error isn't returned in sql.Open, but later on conn.Query, so the error can not be easily handled centrally.