Fix postgresql password exposure in metrics

Fix the password exposure in the metrics or tags. closes #821 closes #845
influxdata · Mar 14, 2016 · 2fbcb5c · 2fbcb5c
1 parent a4d60d9
commit 2fbcb5c
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -29,6 +29,7 @@
 - [#713](https:/influxdata/telegraf/issues/713): packaging: insecure permissions error on log directory
 - [#816](https:/influxdata/telegraf/issues/816): Fix phpfpm panic if fcgi endpoint unreachable.
 - [#828](https:/influxdata/telegraf/issues/828): fix net_response plugin overwriting host tag.
+- [#821](https:/influxdata/telegraf/issues/821): Remove postgres password from server tag. Thanks @menardorama!
 
 ## v0.10.4.1
 

diff --git a/plugins/inputs/postgresql/postgresql.go b/plugins/inputs/postgresql/postgresql.go
@@ -4,20 +4,22 @@ import (
  "bytes"
  "database/sql"
  "fmt"
+ "regexp"
  "sort"
  "strings"
 
  "github.com/influxdata/telegraf"
  "github.com/influxdata/telegraf/plugins/inputs"
 
- _ "github.com/lib/pq"
+ "github.com/lib/pq"
 )
 
 type Postgresql struct {
- Address string
- Databases []string
- OrderedColumns []string
- AllColumns []string
+ Address string
+ Databases []string
+ OrderedColumns []string
+ AllColumns []string
+ sanitizedAddress string
 }
 
 var ignoredColumns = map[string]bool{"datid": true, "datname": true, "stats_reset": true}
@@ -133,6 +135,23 @@ type scanner interface {
  Scan(dest ...interface{}) error
 }
 
+var passwordKVMatcher, _ = regexp.Compile("password=\\S+ ?")
+
+func (p *Postgresql) SanitizedAddress() (_ string, err error) {
+ var canonicalizedAddress string
+ if strings.HasPrefix(p.Address, "postgres://") || strings.HasPrefix(p.Address, "postgresql://") {
+ canonicalizedAddress, err = pq.ParseURL(p.Address)
+ if err != nil {
+ return p.sanitizedAddress, err
+ }
+ } else {
+ canonicalizedAddress = p.Address
+ }
+ p.sanitizedAddress = passwordKVMatcher.ReplaceAllString(canonicalizedAddress, "")
+
+ return p.sanitizedAddress, err
+}
+
 func (p *Postgresql) accRow(row scanner, acc telegraf.Accumulator) error {
  var columnVars []interface{}
  var dbname bytes.Buffer
@@ -165,7 +184,13 @@ func (p *Postgresql) accRow(row scanner, acc telegraf.Accumulator) error {
  dbname.WriteString("postgres")
  }
 
- tags := map[string]string{"server": p.Address, "db": dbname.String()}
+ var tagAddress string
+ tagAddress, err = p.SanitizedAddress()
+ if err != nil {
+ return err
+ }
+
+ tags := map[string]string{"server": tagAddress, "db": dbname.String()}
 
  fields := make(map[string]interface{})
  for col, val := range columnMap {