Skip to content

Add sensitive url string to avoid leak in log messages #35594

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
+84 −49
Draft

Add sensitive url string to avoid leak in log messages #35594

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
90c1c5a
Add sensitive url string to avoid leak in log messages
lunny Oct 6, 2025
10e41cf
Fix test
lunny Oct 7, 2025
947ba6c
Merge branch 'main' into lunny/sensitive_data
lunny Oct 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions models/db/engine_init.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@ func newXORMEngine() (*xorm.Engine, error) {
if setting.Database.Type.IsPostgreSQL() && len(setting.Database.Schema) > 0 {
// OK whilst we sort out our schema issues - create a schema aware postgres
registerPostgresSchemaDriver()
engine, err = xorm.NewEngine("postgresschema", connStr)
engine, err = xorm.NewEngine("postgresschema", connStr.String())
} else {
engine, err = xorm.NewEngine(setting.Database.Type.String(), connStr)
engine, err = xorm.NewEngine(setting.Database.Type.String(), connStr.String())
}

if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion modules/globallock/globallock.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ var (
initFunc = func() {
switch setting.GlobalLock.ServiceType {
case "redis":
defaultLocker = NewRedisLocker(setting.GlobalLock.ServiceConnStr)
defaultLocker = NewRedisLocker(setting.GlobalLock.ServiceConnStr.String())
case "memory":
fallthrough
default:
Expand Down
2 changes: 1 addition & 1 deletion modules/indexer/code/indexer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ func Init() {
}
}()

rIndexer = elasticsearch.NewIndexer(setting.Indexer.RepoConnStr, setting.Indexer.RepoIndexerName)
rIndexer = elasticsearch.NewIndexer(setting.Indexer.RepoConnStr.String(), setting.Indexer.RepoIndexerName)
existed, err = rIndexer.Init(ctx)
if err != nil {
cancel()
Expand Down
4 changes: 2 additions & 2 deletions modules/indexer/issues/indexer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,15 +97,15 @@ func InitIssueIndexer(syncReindex bool) {
log.Fatal("Unable to initialize Bleve Issue Indexer at path: %s Error: %v", setting.Indexer.IssuePath, err)
}
case "elasticsearch":
issueIndexer = elasticsearch.NewIndexer(setting.Indexer.IssueConnStr, setting.Indexer.IssueIndexerName)
issueIndexer = elasticsearch.NewIndexer(setting.Indexer.IssueConnStr.String(), setting.Indexer.IssueIndexerName)
existed, err = issueIndexer.Init(ctx)
if err != nil {
log.Fatal("Unable to issueIndexer.Init with connection %s Error: %v", setting.Indexer.IssueConnStr, err)
}
case "db":
issueIndexer = db.GetIndexer()
case "meilisearch":
issueIndexer = meilisearch.NewIndexer(setting.Indexer.IssueConnStr, setting.Indexer.IssueConnAuth, setting.Indexer.IssueIndexerName)
issueIndexer = meilisearch.NewIndexer(setting.Indexer.IssueConnStr.String(), setting.Indexer.IssueConnAuth.String(), setting.Indexer.IssueIndexerName)
existed, err = issueIndexer.Init(ctx)
if err != nil {
log.Fatal("Unable to issueIndexer.Init with connection %s Error: %v", setting.Indexer.IssueConnStr, err)
Expand Down
10 changes: 10 additions & 0 deletions modules/log/event_format.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ import (
"fmt"
"strings"
"time"

"code.gitea.io/gitea/modules/util"
)

type Event struct {
Expand Down Expand Up @@ -203,6 +205,14 @@ func EventFormatTextMessage(mode *WriterMode, event *Event, msgFormat string, ms

var msg []byte

for i, v := range msgArgs {
if sensitiveURL, ok := v.(util.SensitiveURLString); ok {
msgArgs[i] = util.SanitizeCredentialURLs(string(sensitiveURL))
} else if _, ok := v.(util.SensitivePasswordString); ok {
msgArgs[i] = "********"
}
}

// if the log needs colorizing, do it
if mode.Colorize && len(msgArgs) > 0 {
hasColorValue := false
Expand Down
4 changes: 2 additions & 2 deletions modules/queue/base_levelqueue_common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,10 +78,10 @@ func prepareLevelDB(cfg *BaseConfig) (conn string, db *leveldb.DB, err error) {
}
conn = cfg.DataFullDir
} else {
if !strings.HasPrefix(cfg.ConnStr, "leveldb://") {
if !strings.HasPrefix(cfg.ConnStr.String(), "leveldb://") {
return "", nil, fmt.Errorf("invalid leveldb connection string: %q", cfg.ConnStr)
}
conn = cfg.ConnStr
conn = cfg.ConnStr.String()
}
for range 10 {
if db, err = nosql.GetManager().GetLevelDB(conn); err == nil {
Expand Down
3 changes: 2 additions & 1 deletion modules/queue/base_levelqueue_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (

"code.gitea.io/gitea/modules/queue/lqinternal"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util"

"gitea.com/lunny/levelqueue"
"github.com/stretchr/testify/assert"
Expand All @@ -23,7 +24,7 @@ func TestBaseLevelDB(t *testing.T) {
assert.ErrorContains(t, err, "invalid leveldb data dir")

testQueueBasic(t, newBaseLevelQueueSimple, toBaseConfig("baseLevelQueue", setting.QueueSettings{Datadir: t.TempDir() + "/queue-test", Length: 10}), false)
testQueueBasic(t, newBaseLevelQueueUnique, toBaseConfig("baseLevelQueueUnique", setting.QueueSettings{ConnStr: "leveldb://" + t.TempDir() + "/queue-test", Length: 10}), true)
testQueueBasic(t, newBaseLevelQueueUnique, toBaseConfig("baseLevelQueueUnique", setting.QueueSettings{ConnStr: util.SensitiveURLString("leveldb://" + t.TempDir() + "/queue-test"), Length: 10}), true)
}

func TestCorruptedLevelQueue(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion modules/queue/base_redis.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ type baseRedis struct {
var _ baseQueue = (*baseRedis)(nil)

func newBaseRedisGeneric(cfg *BaseConfig, unique bool) (baseQueue, error) {
client := nosql.GetManager().GetRedisClient(cfg.ConnStr)
client := nosql.GetManager().GetRedisClient(string(cfg.ConnStr))

var err error
for range 10 {
Expand Down
3 changes: 2 additions & 1 deletion modules/queue/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,14 @@ package queue

import (
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util"
)

type BaseConfig struct {
ManagedName string
DataFullDir string // the caller must prepare an absolute path

ConnStr string
ConnStr util.SensitiveURLString
Length int

QueueFullName, SetFullName string
Expand Down
2 changes: 1 addition & 1 deletion modules/queue/manager_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ MAX_WORKERS = 123
assert.Equal(t, filepath.Join(setting.AppDataPath, "queues/dir1"), q1.baseConfig.DataFullDir)
assert.Equal(t, 100, q1.baseConfig.Length)
assert.Equal(t, 20, q1.batchLength)
assert.Equal(t, "addrs=127.0.0.1:6379 db=0", q1.baseConfig.ConnStr)
assert.Equal(t, "addrs=127.0.0.1:6379 db=0", q1.baseConfig.ConnStr.String())
assert.Equal(t, "no-such_queue1", q1.baseConfig.QueueFullName)
assert.Equal(t, "no-such_queue1_unique", q1.baseConfig.SetFullName)
assert.NotZero(t, q1.GetWorkerMaxNumber())
Expand Down
22 changes: 12 additions & 10 deletions modules/setting/database.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ import (
"path/filepath"
"strings"
"time"

"code.gitea.io/gitea/modules/util"
)

var (
Expand All @@ -29,7 +31,7 @@ var (
Host string
Name string
User string
Passwd string
Passwd util.SensitivePasswordString
Schema string
SSLMode string
Path string
Expand Down Expand Up @@ -65,7 +67,7 @@ func loadDBSetting(rootCfg ConfigProvider) {
Database.Name = sec.Key("NAME").String()
Database.User = sec.Key("USER").String()
if len(Database.Passwd) == 0 {
Database.Passwd = sec.Key("PASSWD").String()
Database.Passwd = util.SensitivePasswordString(sec.Key("PASSWD").String())
}
Database.Schema = sec.Key("SCHEMA").String()
Database.SSLMode = sec.Key("SSL_MODE").MustString("disable")
Expand All @@ -92,8 +94,8 @@ func loadDBSetting(rootCfg ConfigProvider) {
}

// DBConnStr returns database connection string
func DBConnStr() (string, error) {
var connStr string
func DBConnStr() (util.SensitiveURLString, error) {
var connStr util.SensitiveURLString
paramSep := "?"
if strings.Contains(Database.Name, paramSep) {
paramSep = "&"
Expand All @@ -108,13 +110,13 @@ func DBConnStr() (string, error) {
if tls == "disable" { // allow (Postgres-inspired) default value to work in MySQL
tls = "false"
}
connStr = fmt.Sprintf("%s:%s@%s(%s)/%s%sparseTime=true&tls=%s",
Database.User, Database.Passwd, connType, Database.Host, Database.Name, paramSep, tls)
connStr = util.SensitiveURLString(fmt.Sprintf("%s:%s@%s(%s)/%s%sparseTime=true&tls=%s",
Database.User, Database.Passwd, connType, Database.Host, Database.Name, paramSep, tls))
case "postgres":
connStr = getPostgreSQLConnectionString(Database.Host, Database.User, Database.Passwd, Database.Name, Database.SSLMode)
connStr = util.SensitiveURLString(getPostgreSQLConnectionString(Database.Host, Database.User, Database.Passwd.String(), Database.Name, Database.SSLMode))
case "mssql":
host, port := ParseMSSQLHostPort(Database.Host)
connStr = fmt.Sprintf("server=%s; port=%s; database=%s; user id=%s; password=%s;", host, port, Database.Name, Database.User, Database.Passwd)
connStr = util.SensitiveURLString(fmt.Sprintf("server=%s; port=%s; database=%s; user id=%s; password=%s;", host, port, Database.Name, Database.User, Database.Passwd))
case "sqlite3":
if !EnableSQLite3 {
return "", errors.New("this Gitea binary was not built with SQLite3 support")
Expand All @@ -126,8 +128,8 @@ func DBConnStr() (string, error) {
if Database.SQLiteJournalMode != "" {
journalMode = "&_journal_mode=" + Database.SQLiteJournalMode
}
connStr = fmt.Sprintf("file:%s?cache=shared&mode=rwc&_busy_timeout=%d&_txlock=immediate%s",
Database.Path, Database.Timeout, journalMode)
connStr = util.SensitiveURLString(fmt.Sprintf("file:%s?cache=shared&mode=rwc&_busy_timeout=%d&_txlock=immediate%s",
Database.Path, Database.Timeout, journalMode))
default:
return "", fmt.Errorf("unknown database type: %s", Database.Type)
}
Expand Down
5 changes: 3 additions & 2 deletions modules/setting/gloabl_lock.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,13 @@ package setting
import (
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/nosql"
"code.gitea.io/gitea/modules/util"
)

// GlobalLock represents configuration of global lock
var GlobalLock = struct {
ServiceType string
ServiceConnStr string
ServiceConnStr util.SensitiveURLString
}{
ServiceType: "memory",
}
Expand All @@ -30,7 +31,7 @@ func loadGlobalLockFrom(rootCfg ConfigProvider) {
if u == nil {
log.Fatal("SERVICE_CONN_STR %s is not a valid redis connection string", connStr)
}
GlobalLock.ServiceConnStr = connStr
GlobalLock.ServiceConnStr = util.SensitiveURLString(connStr)
default:
log.Fatal("Unknown sync lock service type: %s", GlobalLock.ServiceType)
}
Expand Down
2 changes: 1 addition & 1 deletion modules/setting/global_lock_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,6 @@ SERVICE_CONN_STR = addrs=127.0.0.1:6379 db=0

loadGlobalLockFrom(cfg)
assert.Equal(t, "redis", GlobalLock.ServiceType)
assert.Equal(t, "addrs=127.0.0.1:6379 db=0", GlobalLock.ServiceConnStr)
assert.Equal(t, "addrs=127.0.0.1:6379 db=0", GlobalLock.ServiceConnStr.String())
})
}
18 changes: 10 additions & 8 deletions modules/setting/indexer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,22 +10,23 @@ import (
"time"

"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/util"
)

// Indexer settings
var Indexer = struct {
IssueType string
IssuePath string
IssueConnStr string
IssueConnAuth string
IssueConnStr util.SensitiveURLString
IssueConnAuth util.SensitivePasswordString
IssueIndexerName string
StartupTimeout time.Duration

RepoIndexerEnabled bool
RepoIndexerRepoTypes []string
RepoType string
RepoPath string
RepoConnStr string
RepoConnStr util.SensitiveURLString
RepoIndexerName string
MaxIndexerFileSize int64
IncludePatterns []*GlobMatcher
Expand Down Expand Up @@ -60,16 +61,17 @@ func loadIndexerFrom(rootCfg ConfigProvider) {
}
checkOverlappedPath("[indexer].ISSUE_INDEXER_PATH", Indexer.IssuePath)
} else {
Indexer.IssueConnStr = sec.Key("ISSUE_INDEXER_CONN_STR").MustString(Indexer.IssueConnStr)
Indexer.IssueConnStr = util.SensitiveURLString(sec.Key("ISSUE_INDEXER_CONN_STR").MustString(string(Indexer.IssueConnStr)))
if Indexer.IssueType == "meilisearch" {
u, err := url.Parse(Indexer.IssueConnStr)
u, err := url.Parse(string(Indexer.IssueConnStr))
if err != nil {
log.Warn("Failed to parse ISSUE_INDEXER_CONN_STR: %v", err)
u = &url.URL{}
}
Indexer.IssueConnAuth, _ = u.User.Password()
p, _ := u.User.Password()
Indexer.IssueConnAuth = util.SensitivePasswordString(p)
u.User = nil
Indexer.IssueConnStr = u.String()
Indexer.IssueConnStr = util.SensitiveURLString(u.String())
}
}

Expand All @@ -82,7 +84,7 @@ func loadIndexerFrom(rootCfg ConfigProvider) {
if !filepath.IsAbs(Indexer.RepoPath) {
Indexer.RepoPath = filepath.ToSlash(filepath.Join(AppWorkPath, Indexer.RepoPath))
}
Indexer.RepoConnStr = sec.Key("REPO_INDEXER_CONN_STR").MustString("")
Indexer.RepoConnStr = util.SensitiveURLString(sec.Key("REPO_INDEXER_CONN_STR").MustString(""))
Indexer.RepoIndexerName = sec.Key("REPO_INDEXER_NAME").MustString("gitea_codes")

Indexer.IncludePatterns = IndexerGlobFromString(sec.Key("REPO_INDEXER_INCLUDE").MustString(""))
Expand Down
7 changes: 4 additions & 3 deletions modules/setting/queue.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (

"code.gitea.io/gitea/modules/json"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/util"
)

// QueueSettings represent the settings for a queue from the ini
Expand All @@ -17,8 +18,8 @@ type QueueSettings struct {

Type string
Datadir string
ConnStr string // for leveldb or redis
Length int // max queue length before blocking
ConnStr util.SensitiveURLString // for leveldb or redis
Length int // max queue length before blocking

QueueName, SetName string // the name suffix for storage (db key, redis key), "set" is for unique queue

Expand Down Expand Up @@ -65,7 +66,7 @@ func GetQueueSettings(rootCfg ConfigProvider, name string) (QueueSettings, error
return cfg, nil
}
if sec.HasKey("CONN_STR") {
cfg.ConnStr = sec.Key("CONN_STR").String()
cfg.ConnStr = util.SensitiveURLString(sec.Key("CONN_STR").String())
}
}

Expand Down
13 changes: 7 additions & 6 deletions modules/setting/session.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,15 @@ import (

"code.gitea.io/gitea/modules/json"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/util"
)

// SessionConfig defines Session settings
var SessionConfig = struct {
OriginalProvider string
Provider string
// Provider configuration, it's corresponding to provider.
ProviderConfig string
ProviderConfig util.SensitiveURLString
// Cookie name to save session ID. Default is "MacaronSession".
CookieName string
// Cookie path to store. Default is "/".
Expand All @@ -43,10 +44,10 @@ func loadSessionFrom(rootCfg ConfigProvider) {
sec := rootCfg.Section("session")
SessionConfig.Provider = sec.Key("PROVIDER").In("memory",
[]string{"memory", "file", "redis", "mysql", "postgres", "couchbase", "memcache", "db"})
SessionConfig.ProviderConfig = strings.Trim(sec.Key("PROVIDER_CONFIG").MustString(filepath.Join(AppDataPath, "sessions")), "\" ")
if SessionConfig.Provider == "file" && !filepath.IsAbs(SessionConfig.ProviderConfig) {
SessionConfig.ProviderConfig = filepath.Join(AppWorkPath, SessionConfig.ProviderConfig)
checkOverlappedPath("[session].PROVIDER_CONFIG", SessionConfig.ProviderConfig)
SessionConfig.ProviderConfig = util.SensitiveURLString(strings.Trim(sec.Key("PROVIDER_CONFIG").MustString(filepath.Join(AppDataPath, "sessions")), "\" "))
if SessionConfig.Provider == "file" && !filepath.IsAbs(SessionConfig.ProviderConfig.String()) {
SessionConfig.ProviderConfig = util.SensitiveURLString(filepath.Join(AppWorkPath, SessionConfig.ProviderConfig.String()))
checkOverlappedPath("[session].PROVIDER_CONFIG", SessionConfig.ProviderConfig.String())
}
SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("i_like_gitea")
SessionConfig.CookiePath = AppSubURL
Expand All @@ -70,7 +71,7 @@ func loadSessionFrom(rootCfg ConfigProvider) {
if err != nil {
log.Fatal("Can't shadow session config: %v", err)
}
SessionConfig.ProviderConfig = string(shadowConfig)
SessionConfig.ProviderConfig = util.SensitiveURLString(shadowConfig)
SessionConfig.OriginalProvider = SessionConfig.Provider
SessionConfig.Provider = "VirtualSession"
}
14 changes: 14 additions & 0 deletions modules/util/sanitize.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,20 @@ import (
"unicode"
)

// SensitiveURLString is a string that may contain sensitive credentials in URLs
type SensitiveURLString string

func (s SensitiveURLString) String() string {
return string(s)
}

// SensitivePasswordString is a string that is a sensitive password
type SensitivePasswordString string

func (s SensitivePasswordString) String() string {
return string(s)
}

type sanitizedError struct {
err error
}
Expand Down
2 changes: 1 addition & 1 deletion routers/common/middleware.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ func ForwardedHeadersHandler(limit int, trustedProxies []string) func(h http.Han
func Sessioner() (func(next http.Handler) http.Handler, error) {
middleware, err := session.Sessioner(session.Options{
Provider: setting.SessionConfig.Provider,
ProviderConfig: setting.SessionConfig.ProviderConfig,
ProviderConfig: setting.SessionConfig.ProviderConfig.String(),
CookieName: setting.SessionConfig.CookieName,
CookiePath: setting.SessionConfig.CookiePath,
Gclifetime: setting.SessionConfig.Gclifetime,
Expand Down
Loading