Fix postgresql password exposure in metrics

Fix the password exposure in the metrics or tags.

closes #821
closes #845
This commit is contained in:
Thomas Menard 2016-03-14 10:32:07 +01:00 committed by Michele Fadda
parent fef8b6beaf
commit 667127b189
2 changed files with 32 additions and 6 deletions

View File

@ -29,6 +29,7 @@
- [#713](https://github.com/influxdata/telegraf/issues/713): packaging: insecure permissions error on log directory - [#713](https://github.com/influxdata/telegraf/issues/713): packaging: insecure permissions error on log directory
- [#816](https://github.com/influxdata/telegraf/issues/816): Fix phpfpm panic if fcgi endpoint unreachable. - [#816](https://github.com/influxdata/telegraf/issues/816): Fix phpfpm panic if fcgi endpoint unreachable.
- [#828](https://github.com/influxdata/telegraf/issues/828): fix net_response plugin overwriting host tag. - [#828](https://github.com/influxdata/telegraf/issues/828): fix net_response plugin overwriting host tag.
- [#821](https://github.com/influxdata/telegraf/issues/821): Remove postgres password from server tag. Thanks @menardorama!
## v0.10.4.1 ## v0.10.4.1

View File

@ -4,13 +4,14 @@ import (
"bytes" "bytes"
"database/sql" "database/sql"
"fmt" "fmt"
"regexp"
"sort" "sort"
"strings" "strings"
"github.com/influxdata/telegraf" "github.com/influxdata/telegraf"
"github.com/influxdata/telegraf/plugins/inputs" "github.com/influxdata/telegraf/plugins/inputs"
_ "github.com/lib/pq" "github.com/lib/pq"
) )
type Postgresql struct { type Postgresql struct {
@ -18,6 +19,7 @@ type Postgresql struct {
Databases []string Databases []string
OrderedColumns []string OrderedColumns []string
AllColumns []string AllColumns []string
sanitizedAddress string
} }
var ignoredColumns = map[string]bool{"datid": true, "datname": true, "stats_reset": true} var ignoredColumns = map[string]bool{"datid": true, "datname": true, "stats_reset": true}
@ -133,6 +135,23 @@ type scanner interface {
Scan(dest ...interface{}) error Scan(dest ...interface{}) error
} }
var passwordKVMatcher, _ = regexp.Compile("password=\\S+ ?")
func (p *Postgresql) SanitizedAddress() (_ string, err error) {
var canonicalizedAddress string
if strings.HasPrefix(p.Address, "postgres://") || strings.HasPrefix(p.Address, "postgresql://") {
canonicalizedAddress, err = pq.ParseURL(p.Address)
if err != nil {
return p.sanitizedAddress, err
}
} else {
canonicalizedAddress = p.Address
}
p.sanitizedAddress = passwordKVMatcher.ReplaceAllString(canonicalizedAddress, "")
return p.sanitizedAddress, err
}
func (p *Postgresql) accRow(row scanner, acc telegraf.Accumulator) error { func (p *Postgresql) accRow(row scanner, acc telegraf.Accumulator) error {
var columnVars []interface{} var columnVars []interface{}
var dbname bytes.Buffer var dbname bytes.Buffer
@ -165,7 +184,13 @@ func (p *Postgresql) accRow(row scanner, acc telegraf.Accumulator) error {
dbname.WriteString("postgres") dbname.WriteString("postgres")
} }
tags := map[string]string{"server": p.Address, "db": dbname.String()} var tagAddress string
tagAddress, err = p.SanitizedAddress()
if err != nil {
return err
}
tags := map[string]string{"server": tagAddress, "db": dbname.String()}
fields := make(map[string]interface{}) fields := make(map[string]interface{})
for col, val := range columnMap { for col, val := range columnMap {