diff --git a/packages/pg-connection-string/index.js b/packages/pg-connection-string/index.js index 7457c5dcc..4d83975ec 100644 --- a/packages/pg-connection-string/index.js +++ b/packages/pg-connection-string/index.js @@ -23,11 +23,16 @@ function parse(str, options = {}) { } try { - result = new URL(str, 'postgres://base') - } catch (e) { - // The URL is invalid so try again with a dummy host - result = new URL(str.replace('@/', '@___DUMMY___/'), 'postgres://base') - dummyHost = true + try { + result = new URL(str, 'postgres://base') + } catch (e) { + // The URL is invalid so try again with a dummy host + result = new URL(str.replace('@/', '@___DUMMY___/'), 'postgres://base') + dummyHost = true + } + } catch (err) { + // Remove the input from the error message to avoid leaking sensitive information + err.input && (err.input = '*****REDACTED*****') } // We'd like to use Object.fromEntries() here but Node.js 10 does not support it diff --git a/packages/pg-connection-string/test/parse.ts b/packages/pg-connection-string/test/parse.ts index c404ea643..1ba636788 100644 --- a/packages/pg-connection-string/test/parse.ts +++ b/packages/pg-connection-string/test/parse.ts @@ -315,6 +315,26 @@ describe('parse', function () { }).to.throw() }) + it('when throwing on invalid url does not print out the password in the error message', function () { + const host = 'localhost' + const port = 5432 + const user = 'user' + const password = 'g#4624$@F$#v`' + const database = 'db' + + const connectionString = `postgres://${user}:${password}@${host}:${port}/${database}` + expect(function () { + parse(connectionString) + }).to.throw() + try { + parse(connectionString) + } catch (err: unknown) { + expect(JSON.stringify(err)).to.not.include(password, 'Password should not be in the error message') + return + } + throw new Error('Expected an error to be thrown') + }) + it('configuration parameter sslmode=verify-ca and sslrootcert with uselibpqcompat query param', function () { const connectionString = 'pg:///?sslmode=verify-ca&uselibpqcompat=true&sslrootcert=' + __dirname + '/example.ca' const subject = parse(connectionString)