Censor password in logs when database is configured with a connection URI

[jysandy]

If there's an error connecting to the database and the connection is configured with a connection URI, the entire connection URI is printed to the logs. Like so:

Error creating DB connection for {:connection-uri "jdbc:postgresql://localhost:19401/chronograph_dev?user=chronograph_dev&password=chronograph_devpwd"}

This could result in the password being leaked.

One possible solution could be to log only the first part of the connection URI up until the host and port. Alternatively, we could redact the entire connection URI. I noticed that there's already a function to censor the password, but this only works if the db-spec has a :password key. https://github.com/yogthos/migratus/blob/master/src/migratus/utils.clj#L90

Happy to raise a PR if you agree with either of these solutions.

[yogthos]

Hi,

I agree the feature would be useful. One thing to consider here is that there is some variation in how the connection string can be specified for different databases. So, might be safest to parse out from :// to of the address. For example, Oracle connections can look like jdbc:oracle:thin:user/pass@//123.11.222.33:1521/schema. And a PR for this would be very welcome.