postgres_scanner icon indicating copy to clipboard operation
postgres_scanner copied to clipboard
verified publisher icon duckdb

On connection failure logs are leaking secrets

Open sisidra opened this issue 3 months ago • 3 comments

What happens?

Attaching to Postgres using secrets will leak secret information in logs on failure.

To Reproduce

CREATE SECRET (
      TYPE postgres,
      PASSWORD 'MySecret'
  );
ATTACH '' AS pgdb (TYPE postgres);

IO Error: Unable to connect to Postgres at password='MySecret' : connection to server on socket "/tmp/.s.PGSQL.5432" failed: No such file or directory Is the server running locally and accepting connections on that socket?

OS:

MacOS

PostgreSQL Version:

DuckDB Version:

1.3.2

DuckDB Client:

CLI, Python

Full Name:

Mārtiņš Kalvāns

Affiliation:

NymTech

Have you tried this on the latest main branch?

  • [x] I agree

Have you tried the steps to reproduce? Do they include all relevant data and configuration? Does the issue you report still appear there?

  • [x] I agree

sisidra avatar Sep 08 '25 13:09 sisidra

This is a really security concern, where the only solution is to either swallow errors, or haphazardly sanitize raw string errors and hope for the best.

apognu avatar Sep 30 '25 07:09 apognu

We also just ran into this. Happens, both, when directly passing a connection string to ATTACH and when using a secret.

Is there any way we can help to get this resolved in the extension directly?

Thank you 🙏

jorinvo avatar Oct 01 '25 05:10 jorinvo

When I glanced at the code, it seemed like it is fixable in extension only. It is a bit involved, as would mean to pass around split parameters - direct and secret separately and then combine before connecting and error-log only direct ones. Does not seem extreamly hard, but also not super-trivial for me myself.

sisidra avatar Oct 01 '25 09:10 sisidra

Has this gotten any attention internally? It's pretty dangerous to leak credentials like this, for databases of all things. We're forced to suppress all errors during connect/attach in CI pipelines, which is not helpful when things go wrong.

Attempting to sanitize manually will easily break if the error message changes at all, and what's worse probably nobody will notice if it does. For example, if attaching via the ducklake extension, the error message is slightly different.

For open source projects, this could mean publishing full database connection strings to the Github Actions tab...

kyzyl avatar Nov 07 '25 23:11 kyzyl

Hi there!

Yes we are looking into this! Sorry for the delay!

guillesd avatar Nov 10 '25 15:11 guillesd

Thank you so much @Mytherin @guillesd! Great to see this fixed 🙏

jorinvo avatar Nov 11 '25 05:11 jorinvo