Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove URL.__str__ so that it uses __repr__, which will obfuscate PW by default #8567

Closed
zzzeek opened this issue Sep 23, 2022 Discussed in #8547 · 2 comments
Closed

remove URL.__str__ so that it uses __repr__, which will obfuscate PW by default #8567

zzzeek opened this issue Sep 23, 2022 Discussed in #8547 · 2 comments
Labels
bug Something isn't working engine engines, connections, transactions, isolation levels, execution options
Milestone
2.0beta1

Comments

@zzzeek
Copy link
Member

zzzeek commented Sep 23, 2022

Discussed in #8547

working on this in #8563

needs some alembic test suite updates.

This change might be a big bump for some, as it is for us.
@zzzeek zzzeek added bug Something isn't working engine engines, connections, transactions, isolation levels, execution options labels Sep 23, 2022
@zzzeek zzzeek added this to the 2.0 milestone Sep 23, 2022
@zzzeek zzzeek mentioned this issue Sep 23, 2022
Closed
3 tasks
sqlalchemy-bot pushed a commit to sqlalchemy/alembic that referenced this issue Sep 23, 2022
@zzzeek
use SQLAlchemy built-in password obfuscation

Verified

This commit was signed with the committer’s verified signature.
tommilligan Tom Milligan
GPG key ID: BFF10895C45328D2
Verified
Learn about vigilant mode
af3f6d7 
As str(url) will be changing to obfuscate the PW,
use SQLA 1.3 / 1.4 / 2.0 functionality directly.

Change-Id: I4694cc6d2ed7f0463fe0fae8a93ee9ec5df74760
References: sqlalchemy/sqlalchemy#8567
@sqla-tester
Copy link
Collaborator

Yassen Damyanov has proposed a fix for this issue in the main branch:

Tighten password security by removing URL.__str__ https://gerrit.sqlalchemy.org/c/sqlalchemy/sqlalchemy/+/4090

ya55en added a commit to ya55en/alembic that referenced this issue Sep 23, 2022
@ya55en
Replace URL.__str__ with URL.render_as_string in obfuscate_url_pw

Verified

This commit was signed with the committer’s verified signature.
tommilligan Tom Milligan
GPG key ID: BFF10895C45328D2
Verified
Learn about vigilant mode
bcb8d84 
SqlAlchemy 2.0 gets its `engine.URL.__str__` removed for improved
security, hence this change.

See sqlalchemy/sqlalchemy#8567
martinburchell added a commit to ucam-department-of-psychiatry/camcops that referenced this issue Dec 13, 2022
@martinburchell
Ignore vulnerability 51688
3a6ebce 
We don't log Engine.URL() and the fix is not yet in a production
sqlalchemy/sqlalchemy#8567
@zzzeek
Copy link
Member Author

zzzeek commented Feb 2, 2023

as predicted, it seems likely that flask-migrate has a regression due to this, see #9225 (reply in thread) where user w/ flask-migrate has sudden authentication failure, yet the database name and driver are being maintained in the URL. suggesting the password has been obfuscated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working engine engines, connections, transactions, isolation levels, execution options
Projects
None yet
Milestone
2.0beta1
Development

Successfully merging a pull request may close this issue.

Tighten password security by removing URL.__str__ ya55en/sqlalchemy
2 participants
@zzzeek @sqla-tester