Skip to content

fix(db): disable Sequelize default console.log query logging to stop secret leakage to stdout #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CryptoJones merged 1 commit into from
May 19, 2026
Merged

fix(db): disable Sequelize default console.log query logging to stop secret leakage to stdout #144

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,15 @@ DB_PASSWORD=changeme
# production so log aggregators get the structured JSON they expect.
# LOG_PRETTY=

# Set to '1' to route Sequelize query logs through pino at debug
# level (visible when LOG_LEVEL=debug, silent otherwise). Default
# unset: Sequelize query logging is OFF entirely, because the
# default `console.log` Sequelize uses would otherwise dump SQL +
# bound parameters (including secrets like authKey values) to
# stdout, bypassing pino's redact paths. Turn this on for targeted
# query-shape debugging only; turn it off again when done.
# DB_LOG_QUERIES=

# ---- Rate limiting ----

# Per-key request budget for /v1/* in the window below. Defaults to 100.
Expand Down
19 changes: 19 additions & 0 deletions app/config/db.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,30 @@

const env = require('./env.js');
const Sequelize = require('sequelize');
const log = require('./logger.js');

// Sequelize's default `logging` is `console.log`, which dumps every
// executed SQL statement — INCLUDING bound parameter values — to
// stdout. In production that means a query like
// `SELECT * FROM "dbo"."ApiKey" WHERE "akKey" = $1` followed by the
// bound array containing the raw authKey lands in the operator's
// log stream alongside our structured JSON output, mixing log
// formats and surfacing secrets that pino's redact paths never see
// (those only know about HTTP header structures, not Sequelize SQL
// strings). Disable by default; let operators opt back in for
// targeted debugging by setting DB_LOG_QUERIES=1, in which case
// queries are routed through pino at debug level (silent at the
// default LOG_LEVEL=info, visible when LOG_LEVEL=debug, and never
// emitted as bare console.log).
const dbQueryLog = process.env.DB_LOG_QUERIES === '1'
? (sql, timing) => log.debug({ sql, timing }, 'sequelize query')
: false;

const sequelize = new Sequelize(env.database, env.username, env.password, {
host: env.host,
port: env.port,
dialect: 'postgres',
logging: dbQueryLog,
define: {
schema: 'dbo',
timestamps: false,
Expand Down