fix: Added redactDatabaseUrl() utility that masks username/password before logging #24
Conversation
…ith *** before logging
📝 WalkthroughWalkthroughThe pull request bumps the package version to 0.2.6, updates the Prisma better-sqlite3 adapter dependency to ^7.3.0, and introduces a new Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR enhances security by adding a redactDatabaseUrl() utility function that masks usernames and passwords in database connection URLs before logging, and updates the @prisma/adapter-better-sqlite3 dependency to version 7.3.0 to support Node.js version 25.
Changes:
- Added
redactDatabaseUrl()utility function to mask credentials in database URLs - Applied redaction to PostgreSQL and MySQL connection logging
- Updated
@prisma/adapter-better-sqlite3from ^6.2.1 to ^7.3.0 (includes better-sqlite3 12.6.2 with Node 25 support) - Removed unused
GeneratorConfigimport - Bumped package version from 0.2.5 to 0.2.6
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/server.ts | Added redactDatabaseUrl() function and applied it to PostgreSQL and MySQL connection logging; removed unused import |
| package.json | Updated @prisma/adapter-better-sqlite3 to ^7.3.0 and bumped package version to 0.2.6 |
| pnpm-lock.yaml | Updated lock file with new dependency versions including better-sqlite3 12.6.2 with Node 25 support |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@src/server.ts`:
- Around line 49-63: The redactDatabaseUrl function currently returns the raw
input on URL parse failure and only masks parsedUrl.username/password, which can
leak credentials and query-params; update redactDatabaseUrl to (1) when parsing
succeeds, also scrub sensitive query parameters (case-insensitive keys like
password, pass, user, username, token, secret) by replacing their values with
'***' in parsedUrl.searchParams before returning parsedUrl.toString(), and (2)
on parse failure, perform a conservative string-based redaction: mask basic-auth
patterns (user:pass@) and mask sensitive query-like key=value pairs anywhere in
the string using a regex that matches the same keys (replace values with '***')
instead of returning the original url. Ensure you reference and update the
existing function redactDatabaseUrl and the parsedUrl variable handling.
fix: Added redactDatabaseUrl() utility that masks username/password with *** before logging (#24)
Summary by CodeRabbit
Chores
Bug Fixes
✏️ Tip: You can customize this high-level summary in your review settings.