You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When gorm fails to connect to e.g. postgres the resulting stack trace logs the *pgconn.Config Object, including the database password, to the logs. I think that's a security issue that should be fixed on the level of gorm.
Proposed fix:
On an application level, it's generally good to know why database connections failed, so we want to log the error. But relying on users to properly filter out the password in pgconn.Config is big burden. Because password leaking through logs is a known problem, I think this should be considered a serious issue and not merely a feature request.
I think a big decision to be made is if this should be handled centrally by the gorm lib or for each connector separately.
The text was updated successfully, but these errors were encountered:
GORM Playground Link
n/a
Description
When gorm fails to connect to e.g. postgres the resulting stack trace logs the
*pgconn.Config
Object, including the database password, to the logs. I think that's a security issue that should be fixed on the level of gorm.We have error logs like this
We try to open a connection like this:
Proposed fix:
On an application level, it's generally good to know why database connections failed, so we want to log the error. But relying on users to properly filter out the password in
pgconn.Config
is big burden. Because password leaking through logs is a known problem, I think this should be considered a serious issue and not merely a feature request.I think a big decision to be made is if this should be handled centrally by the gorm lib or for each connector separately.
The text was updated successfully, but these errors were encountered: