cloud-fan commented on code in PR #56630:
URL: https://github.com/apache/spark/pull/56630#discussion_r3448061148
##########
sql/core/src/main/scala/org/apache/spark/sql/execution/datasources/jdbc/JDBCOptions.scala:
##########
@@ -302,6 +304,41 @@ object JDBCOptions {
name
}
+ // The userinfo of a URL authority (everything between "//" and the
authority's last "@") may
+ // carry credentials, e.g. the "user:password" in "//user:password@host".
"[^/?#]*" extends
+ // greedily to the last "@" before the authority ends (at the first "/", "?"
or "#"), so an "@"
+ // embedded in the password is covered as well; the whole userinfo is
redacted.
+ private val URL_USER_INFO_PATTERN = "(//)[^/?#]*(@)".r
Review Comment:
Good catch — thanks for digging into the Oracle Thin forms. Rather than
extend the matching to chase this (and the next driver's syntax after it), I've
reworked the redaction from a denylist into an allowlist: keep only the
credential-free `jdbc:<subprotocol>:` prefix and redact the entire
driver-specific subname.
- `jdbc:oracle:thin:scott/tiger@host:1521/svc` ->
`jdbc:oracle:*********(redacted)`
- `jdbc:oracle:thin:scott/tiger@//host:1521/svc?x=1` ->
`jdbc:oracle:*********(redacted)`
This is safe by construction regardless of the driver's URL grammar, so it
also subsumes the `?`/`#`-in-password partial-leak edge case you flagged below
(no userinfo parsing happens at all). The trade-off is that we no longer
surface host/port/database — only the engine type — which matches the "worst
case is showing no URL at all" bar. Updated in the follow-up commit; the doc
and tests now reflect this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]