Skip to content

Fix password leak from JDBC URL #11568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gh-worker-dd-mergequeue-cf854d merged 3 commits into from
Jun 4, 2026
Merged

Fix password leak from JDBC URL #11568

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5be0f0b
Fix password leak from JDBC URL userinfo into db.user span tag
ValentinZakharov Jun 4, 2026
13f882e
Use getRawUserInfo() to avoid splitting on percent-encoded colon in u…
ValentinZakharov Jun 4, 2026
00fda7b
Address review comments: shorten comment, add SAP test case, remove J…
ValentinZakharov Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions ...p/src/main/java/datadog/trace/bootstrap/instrumentation/jdbc/JDBCConnectionUrlParser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,16 @@ DBInfo.Builder doParse(final String jdbcUrl, final DBInfo.Builder builder) {

populateStandardProperties(builder, splitQuery(uri.getQuery(), '&'));

final String user = uri.getUserInfo();
if (user != null) {
builder.user(user);
final String rawUserInfo = uri.getRawUserInfo();
if (rawUserInfo != null) {
// rawUserInfo keeps %3A encoded, so indexOf(':') only matches the password separator
final int colonLoc = rawUserInfo.indexOf(':');
final String rawUser = colonLoc >= 0 ? rawUserInfo.substring(0, colonLoc) : rawUserInfo;
try {
builder.user(URLDecoder.decode(rawUser, "UTF-8"));
} catch (final UnsupportedEncodingException e) {
builder.user(rawUser);
}
}

String path = uri.getPath();
Expand Down
23 changes: 23 additions & 0 deletions ...datadog/trace/bootstrap/instrumentation/jdbc/JDBCConnectionUrlParserPasswordLeakTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
package datadog.trace.bootstrap.instrumentation.jdbc;

import static datadog.trace.bootstrap.instrumentation.jdbc.JDBCConnectionUrlParser.extractDBInfo;
import static org.junit.jupiter.api.Assertions.assertEquals;

import org.tabletest.junit.TableTest;
Copy link
Copy Markdown
Contributor

@dougqh dougqh Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude: Project conventions say no multi-line comment blocks (one short line max). This 8-line class Javadoc can be removed entirely — the test name and table rows are already self-documenting.

Copy link
Copy Markdown
Contributor Author

@ValentinZakharov ValentinZakharov Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed thanks


class JDBCConnectionUrlParserPasswordLeakTest {

@TableTest({
"scenario | url | type | host | user ",
"PostgreSQL userinfo with password | jdbc:postgresql://myuser:secret123@pg.host/mydb | postgresql | pg.host | myuser ",
"PostgreSQL userinfo without password | jdbc:postgresql://myuser@pg.host/mydb | postgresql | pg.host | myuser ",
"PostgreSQL userinfo with percent-encoded colon | jdbc:postgresql://tenant%3Aalice@pg.host/mydb | postgresql | pg.host | tenant:alice",
"SAP userinfo with password | jdbc:sap://myuser:secret@sap.host/sapdb | sap | sap.host | myuser "
})
Copy link
Copy Markdown
Contributor

@dougqh dougqh Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude: The scenario column appears in the table header but has no matching method parameter. Depending on how @TableTest maps columns to parameters this will either fail at runtime or silently drop the column. Either add String scenario as the first parameter (many table-test frameworks use it as the display label), or drop the scenario column from the header.

Copy link
Copy Markdown
Contributor Author

@ValentinZakharov ValentinZakharov Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Scenario special column is used to display label, so it doesn't map to method param

void passwordShouldNotLeakIntoUserTag(String url, String type, String host, String user) {
DBInfo info = extractDBInfo(url, null);
assertEquals(type, info.getType());
assertEquals(host, info.getHost());
assertEquals(user, info.getUser());
}
}
Copy link
Copy Markdown
Contributor

@dougqh dougqh Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude: The comprehensive parser tests live in dd-java-agent/instrumentation/jdbc/src/test/groovy/JDBCConnectionUrlParserTest.groovy and cover dozens of URL variants across every GENERIC_URL_LIKE scheme. These two new rows fit better there (after migrating that file from Groovy to Java per project conventions) rather than in a standalone class. Additionally, only PostgreSQL is tested here — GENERIC_URL_LIKE also handles SAP, Snowflake, Redshift, IRIS, and Sybase TDS, so at least one non-PostgreSQL user:password@host case (e.g. jdbc:sap://myuser:secret@sap.host:88/sapdb) would confirm the fix covers those schemes too.

Copy link
Copy Markdown
Contributor Author

@ValentinZakharov ValentinZakharov Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added SAP test-case, thanks