Redact input URL string to prevent console printing (#3486)

Author: brianc

packages/pg-connection-string/index.js

@@ -23,11 +23,16 @@ function parse(str, options = {}) {
   }
 
   try {
-    result = new URL(str, 'postgres://base')
-  } catch (e) {
-    // The URL is invalid so try again with a dummy host
-    result = new URL(str.replace('@/', '@___DUMMY___/'), 'postgres://base')
-    dummyHost = true
+    try {
+      result = new URL(str, 'postgres://base')
+    } catch (e) {
+      // The URL is invalid so try again with a dummy host
+      result = new URL(str.replace('@/', '@___DUMMY___/'), 'postgres://base')
+      dummyHost = true
+    }
+  } catch (err) {
+    // Remove the input from the error message to avoid leaking sensitive information
+    err.input && (err.input = '*****REDACTED*****')
   }
 
   // We'd like to use Object.fromEntries() here but Node.js 10 does not support it

packages/pg-connection-string/test/parse.ts

@@ -315,6 +315,26 @@ describe('parse', function () {
     }).to.throw()
   })
 
+  it('when throwing on invalid url does not print out the password in the error message', function () {
+    const host = 'localhost'
+    const port = 5432
+    const user = 'user'
+    const password = 'g#4624$@F$#v`'
+    const database = 'db'
+
+    const connectionString = `postgres://${user}:${password}@${host}:${port}/${database}`
+    expect(function () {
+      parse(connectionString)
+    }).to.throw()
+    try {
+      parse(connectionString)
+    } catch (err: unknown) {
+      expect(JSON.stringify(err)).to.not.include(password, 'Password should not be in the error message')
+      return
+    }
+    throw new Error('Expected an error to be thrown')
+  })
+
   it('configuration parameter sslmode=verify-ca and sslrootcert with uselibpqcompat query param', function () {
     const connectionString = 'pg:///?sslmode=verify-ca&uselibpqcompat=true&sslrootcert=' + __dirname + '/example.ca'
     const subject = parse(connectionString)