Merge pull request #20 from PostHog/fix/redact-password-logging

Redact passwords from DuckLake connection string logs

Author: EDsCODE

server/conn_test.go

@@ -224,3 +224,51 @@ func TestGetCommandType(t *testing.T) {
 		})
 	}
 }
+
+func TestRedactConnectionString(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "postgres connection string with password",
+			input:    "postgres:host=localhost user=postgres password=secretpass dbname=ducklake",
+			expected: "postgres:host=localhost user=postgres password=[REDACTED] dbname=ducklake",
+		},
+		{
+			name:     "connection string with password= format",
+			input:    "host=localhost password=mysecret user=admin",
+			expected: "host=localhost password=[REDACTED] user=admin",
+		},
+		{
+			name:     "connection string with PASSWORD uppercase",
+			input:    "host=localhost PASSWORD=mysecret user=admin",
+			expected: "host=localhost PASSWORD=[REDACTED] user=admin",
+		},
+		{
+			name:     "connection string without password",
+			input:    "host=localhost user=postgres dbname=test",
+			expected: "host=localhost user=postgres dbname=test",
+		},
+		{
+			name:     "empty string",
+			input:    "",
+			expected: "",
+		},
+		{
+			name:     "password with special characters",
+			input:    "host=localhost password=p@ss!word123 user=admin",
+			expected: "host=localhost password=[REDACTED] user=admin",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := redactConnectionString(tt.input)
+			if result != tt.expected {
+				t.Errorf("redactConnectionString(%q) = %q, want %q", tt.input, result, tt.expected)
+			}
+		})
+	}
+}

server/server.go

@@ -7,13 +7,21 @@ import (
 	"fmt"
 	"log"
 	"net"
+	"regexp"
 	"sync"
 	"sync/atomic"
 	"time"
 
 	_ "github.com/duckdb/duckdb-go/v2"
 )
 
+// redactConnectionString removes sensitive information (passwords) from connection strings for logging
+var passwordPattern = regexp.MustCompile(`(?i)(password\s*[=:]\s*)([^\s]+)`)
+
+func redactConnectionString(connStr string) string {
+	return passwordPattern.ReplaceAllString(connStr, "${1}[REDACTED]")
+}
+
 type Config struct {
 	Host    string
 	Port    int
@@ -317,10 +325,10 @@ func (s *Server) attachDuckLake(db *sql.DB) error {
 		attachStmt = fmt.Sprintf("ATTACH 'ducklake:%s' AS ducklake (DATA_PATH '%s')",
 			s.cfg.DuckLake.MetadataStore, s.cfg.DuckLake.ObjectStore)
 		log.Printf("Attaching DuckLake catalog with object store: metadata=%s, data=%s",
-			s.cfg.DuckLake.MetadataStore, s.cfg.DuckLake.ObjectStore)
+			redactConnectionString(s.cfg.DuckLake.MetadataStore), s.cfg.DuckLake.ObjectStore)
 	} else {
 		attachStmt = fmt.Sprintf("ATTACH 'ducklake:%s' AS ducklake", s.cfg.DuckLake.MetadataStore)
-		log.Printf("Attaching DuckLake catalog: %s", s.cfg.DuckLake.MetadataStore)
+		log.Printf("Attaching DuckLake catalog: %s", redactConnectionString(s.cfg.DuckLake.MetadataStore))
 	}
 
 	if _, err := db.Exec(attachStmt); err != nil {