Obfuscating the password string on #inspect would be useful, but insufficient. A better choice might be to figure out a way to make it so that Sequel can ask Hashicorp Vault for the connection details when it needs to reconnect (see https://github.com/hashicorp/vault-ruby); this is something I expect to have to do some time next year for at least ActiveRecord but possibly also Sequel.
-a On Mon, Nov 14, 2016 at 12:44 PM, Jeremy Evans <[email protected]> wrote: > On Monday, November 14, 2016 at 9:26:43 AM UTC-8, Matthew Curtice wrote: >> >> I was wondering if it would be possible to update the connection function >> to store the password in memory as encrypted. I work on a team where >> paired programming is implemented. In order to keep our passwords >> confidential, we store them encrypted in files and taught ruby how to >> decrypt them when calling external connections. We have been using this >> method for a while, and it has worked well quite well. Today however, I >> happened to be debugging an issue which involved inspecting the sequel >> connection object, when much to my surprise (and my pairing partner's), >> there was my password displayed in plain text in the debugger. >> >> I understand that the password needs to be stored, as we don't want to >> hold the connection open for the entire duration of the script. But it >> would be nice if it stored the password as encrypted, and then decrypted it >> internally before re-connecting. >> > > That's just pointless obfuscation as far as I am concerned. Sequel uses a > connection pool, and may need the password at any point in the future, so > it needs to have access to it. Trying to hide it by encrypting it and then > decrypting when needed is pointless, because you'd need to store the > decryption key in memory or somewhere else where the process could access > it. > > If you are using PostgreSQL, I'd recommend using a .pgpass file instead of > having a password specified directly in the code. > > Another way to work around your particular problem would be to override > #inspect on the password string. > > Thanks, > Jeremy > > -- > You received this message because you are subscribed to the Google Groups > "sequel-talk" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/sequel-talk. > For more options, visit https://groups.google.com/d/optout. > -- Austin Ziegler • [email protected] • [email protected] http://www.halostatue.ca/ • http://twitter.com/halostatue -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sequel-talk. For more options, visit https://groups.google.com/d/optout.
