From 2fbcb5c6d851b8140b88580cd4259eb2cda9a98a Mon Sep 17 00:00:00 2001
From: Thomas Menard <menardorama@gmail.com>
Date: Mon, 14 Mar 2016 10:32:07 +0100
Subject: [PATCH] Fix postgresql password exposure in metrics

Fix the password exposure in the metrics or tags.

closes #821
closes #845
---
 CHANGELOG.md                            |  1 +
 plugins/inputs/postgresql/postgresql.go | 37 +++++++++++++++++++++----
 2 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4f7d245b2..3545c35c6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,7 @@
 - [#713](https://github.com/influxdata/telegraf/issues/713): packaging: insecure permissions error on log directory
 - [#816](https://github.com/influxdata/telegraf/issues/816): Fix phpfpm panic if fcgi endpoint unreachable.
 - [#828](https://github.com/influxdata/telegraf/issues/828): fix net_response plugin overwriting host tag.
+- [#821](https://github.com/influxdata/telegraf/issues/821): Remove postgres password from server tag. Thanks @menardorama!
 
 ## v0.10.4.1
 
diff --git a/plugins/inputs/postgresql/postgresql.go b/plugins/inputs/postgresql/postgresql.go
index fe2a56576..d8d0d1978 100644
--- a/plugins/inputs/postgresql/postgresql.go
+++ b/plugins/inputs/postgresql/postgresql.go
@@ -4,20 +4,22 @@ import (
 	"bytes"
 	"database/sql"
 	"fmt"
+	"regexp"
 	"sort"
 	"strings"
 
 	"github.com/influxdata/telegraf"
 	"github.com/influxdata/telegraf/plugins/inputs"
 
-	_ "github.com/lib/pq"
+	"github.com/lib/pq"
 )
 
 type Postgresql struct {
-	Address        string
-	Databases      []string
-	OrderedColumns []string
-	AllColumns     []string
+	Address          string
+	Databases        []string
+	OrderedColumns   []string
+	AllColumns       []string
+	sanitizedAddress string
 }
 
 var ignoredColumns = map[string]bool{"datid": true, "datname": true, "stats_reset": true}
@@ -133,6 +135,23 @@ type scanner interface {
 	Scan(dest ...interface{}) error
 }
 
+var passwordKVMatcher, _ = regexp.Compile("password=\\S+ ?")
+
+func (p *Postgresql) SanitizedAddress() (_ string, err error) {
+	var canonicalizedAddress string
+	if strings.HasPrefix(p.Address, "postgres://") || strings.HasPrefix(p.Address, "postgresql://") {
+		canonicalizedAddress, err = pq.ParseURL(p.Address)
+		if err != nil {
+			return p.sanitizedAddress, err
+		}
+	} else {
+		canonicalizedAddress = p.Address
+	}
+	p.sanitizedAddress = passwordKVMatcher.ReplaceAllString(canonicalizedAddress, "")
+
+	return p.sanitizedAddress, err
+}
+
 func (p *Postgresql) accRow(row scanner, acc telegraf.Accumulator) error {
 	var columnVars []interface{}
 	var dbname bytes.Buffer
@@ -165,7 +184,13 @@ func (p *Postgresql) accRow(row scanner, acc telegraf.Accumulator) error {
 		dbname.WriteString("postgres")
 	}
 
-	tags := map[string]string{"server": p.Address, "db": dbname.String()}
+	var tagAddress string
+	tagAddress, err = p.SanitizedAddress()
+	if err != nil {
+		return err
+	}
+
+	tags := map[string]string{"server": tagAddress, "db": dbname.String()}
 
 	fields := make(map[string]interface{})
 	for col, val := range columnMap {