Hello,
While deploying version v0.9.5 on AWS Fargate (EKS), we identified a potential data leak in the logs when a database connection error occurs during container startup.
Specifically, the exception log:
Exception in thread "main" clojure.lang.ExceptionInfo
appears to expose sensitive values from secrets provided via environment variables.
Steps to Reproduce
This behavior can be reproduced using the current repository:
git clone https://github.com/yetanalytics/lrsql.git
cd lrsql
git checkout v0.9.5
To force a connection error, prevent the Postgres container from starting by commenting out or removing the depends_on section in docker-compose.yml:
Then run:
Observed Behavior
The logs will output the previously mentioned exception, which includes sensitive database access information (e.g., credentials) in plaintext.
Example (truncated)
Exception in thread "main" clojure.lang.ExceptionInfo: Error in component :connection in system com.stuartsierra.component.SystemMap calling #'com.stuartsierra.component/start
...
:db-user "lrsql_user",
...
:db-password "lrsql_password",
...
Concern
This behavior may unintentionally expose sensitive credentials in logs, which could pose a security risk in production environments.
We already tried changing the log level to ERROR, but we’re still seeing the same results.
Please let us know if you need any additional details or if we can help validate a fix.
Thanks in advance for your support!
Hello,
While deploying version v0.9.5 on AWS Fargate (EKS), we identified a potential data leak in the logs when a database connection error occurs during container startup.
Specifically, the exception log:
appears to expose sensitive values from secrets provided via environment variables.
Steps to Reproduce
This behavior can be reproduced using the current repository:
git clone https://github.com/yetanalytics/lrsql.git cd lrsql git checkout v0.9.5To force a connection error, prevent the Postgres container from starting by commenting out or removing the
depends_onsection indocker-compose.yml:Then run:
Observed Behavior
The logs will output the previously mentioned exception, which includes sensitive database access information (e.g., credentials) in plaintext.
Example (truncated)
Concern
This behavior may unintentionally expose sensitive credentials in logs, which could pose a security risk in production environments.
We already tried changing the log level to ERROR, but we’re still seeing the same results.
Please let us know if you need any additional details or if we can help validate a fix.
Thanks in advance for your support!