Skip to main content

Module redact

ferrule_core

Module redact 

Source
Expand description

Inline-secret redaction for SQL bodies (#49).

The history store and the slow-log tee persist the SQL text of every ferrule invocation. The connection URL is already scrubbed at the capture site (DatabaseUrl::redacted blanks the password component), but secrets can also live inside the SQL itself — CREATE ROLE x PASSWORD '...', ALTER USER ... IDENTIFIED BY '...', or a connection-string literal embedded in a function call. This module’s redact_sql blanks those before the SQL reaches storage.

Conservative, string-based, no SQL parser. The same pragmatic stance as the dump-determinism ORDER BY check: we scan for the common secret idioms and replace the literal with ***, accepting that a vendor-specific or obfuscated idiom can slip through. The high- frequency leak — a password in a connection URL — is fully handled both here and by the URL-redaction path at the capture site, so the residual false-negative surface is the long tail of DDL phrasings.

Known false-negatives (documented contract, not a bug):

  • secrets passed as bound parameters that some tool inlined into the SQL with non-standard quoting;
  • vendor extensions that name the secret with a keyword this scanner does not recognise;
  • a PASSWORD / IDENTIFIED BY idiom that appears inside an outer SQL string literal: without tracking the enclosing literal’s context, the scanner cannot tell the doubled quote that opens the inner secret from a real literal close. The common real case is a standalone DDL statement, which redacts correctly; a secret quoted-inside-a-quote is the contrived tail;
  • a password literal that uses a backslash escape ('a\'b') rather than SQL’s standard doubled-quote escape ('a''b'): the scanner honours the doubled-quote form (so 'O''Brien' is fully redacted) but treats a backslash-escaped quote as the literal close, redacting only the leading fragment. Backslash-escaped string literals are non-standard SQL and rare in DDL secrets.

The function never panics and never allocates beyond the rebuilt string, so it is safe to call on every recorded statement.

Functions§

redact_sql
Redact inline secrets from a SQL body, returning a scrubbed copy.