sql-migrate icon indicating copy to clipboard operation
sql-migrate copied to clipboard

Published 20 hours ago verified publisher icon rubenv

strong password in dbconfig.yml not escaping

Open mdere-unbound opened this issue 5 years ago • 3 comments

For some reason in the following

development:
    dialect: postgres
    datasource: dbname=local user=admin password="......" host=localhost port=5432 sslmode=disable
    dir: migrations/postgres

When I use a complicated strong password with symbols, this gives me auth errors, but as soon I turn the password to something simple - it goes through.

Am I missing something?

mdere-unbound avatar May 26 '19 18:05 mdere-unbound

I hit this today too - there's some code expanding variables like $DB_PASSWORD and unintentionally treating any dollar sign in the password the start of a variable name reference.

bdelliott avatar Nov 10 '21 21:11 bdelliott

In all likelihood, these are YAML quirks

rubenv avatar Nov 11 '21 08:11 rubenv

The problem line is here: https://github.com/rubenv/sql-migrate/blob/master/sql-migrate/config.go#L75

os.ExpandEnv will interpret any $ sign as a variable to substitute, returning empty string when that variable doesn't exist in the environment.

See: https://play.golang.wiki/p/Da4G-gXuwkY

This is by design in the Go function, it's just a shame it's consuming a dollar sign literal in the configured DSN in dbconfig.yml.

bdelliott avatar Nov 11 '21 14:11 bdelliott