Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PostgreSQL server password included in tags. Security issue. #821

Closed
wtfuzz opened this issue Mar 9, 2016 · 4 comments
Closed

PostgreSQL server password included in tags. Security issue. #821

wtfuzz opened this issue Mar 9, 2016 · 4 comments
Labels
bug unexpected problem or unintended behavior

Comments

@wtfuzz
Copy link

wtfuzz commented Mar 9, 2016

The entire 'server' parameter is included in the tags of measurements sent by the plugin. This is a security concern as the password is transmitted in the clear.

Example shown here. I replaced my password with XXXXX.

$ telegraf -config /etc/telegraf/telegraf.conf -test |grep post
* Plugin: postgresql, Collection 1
> postgresql,db=pdns,server=postgres://telegraf:XXXXX@localhost/pdns?sslmode\=disable blk_read_time=0,blk_write_time=0,blks_hit=3518854i,blks_read=1130i,conflicts=0i,deadlocks=0i,numbackends=17i,temp_bytes=0i,temp_files=0i,tup_deleted=1i,tup_fetched=585944i,tup_inserted=558i,tup_returned=54061355i,tup_updated=61i,xact_commit=159798i,xact_rollback=2i 1457552702321056243
> postgresql,db=postgres,server=postgres://telegraf:XXXXX@localhost/pdns?sslmode\=disable buffers_alloc=2119i,buffers_backend=25i,buffers_backend_fsync=0i,buffers_checkpoint=128i,buffers_clean=0i,checkpoint_sync_time=7,checkpoint_write_time=11339,checkpoints_req=2i,checkpoints_timed=10351i,maxwritten_clean=0i 1457552702322387204
@sparrc
Copy link
Contributor

sparrc commented Mar 9, 2016

agreed, someone once submitted a PR to fix this but then disappeared when I asked for some revisions. If anyone has time to port this: #490 it would be greatly appreciated :)

@sparrc sparrc added the bug unexpected problem or unintended behavior label Mar 9, 2016
@menardorama
Copy link
Contributor

Hi,

I'll try to have a look

@menardorama
Copy link
Contributor

Hi,

The issue is fxed in #845 for legacy and new plugin

@vidushis17
Copy link

vidushis17 commented Aug 3, 2020

Hi I am trying to monitor one of my AWS RDS Postgres Database using the telegraf plugin for postgres.
I am using the https://github.com/influxdata/telegraf/tree/master/plugins/inputs/postgresql_extensible input plugin.
The metrics flow to Wavefront but the password gets exposed as a part of the server tag. I use simple string:
address = "host=next-tango-instance--..rds.amazonaws.com user=postgres sslmode=disable password =* "

Now this address comes as a point tag in Wavefront as server= host=next-tango-instance--..rds.amazonaws.com user=postgres sslmode=disable password =* which essentially exposes my password in the dashboards.

I have seen that a fix has been provided by in #845 but this requires me to specify the address via url matching and whenever I try to do it for example like:
address = postgresql://postgres:xyz@next-tango-instance-..us--2.rds.amazonaws.com

The metrics stop coming. And the telegraf client throws an exception saying:
2020-08-03T17:14:01Z E! [telegraf] Error running agent: Error parsing /etc/telegraf/telegraf.conf, line 16: invalid TOML syntax

Can someone help me here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug unexpected problem or unintended behavior
Projects
None yet
Development

No branches or pull requests

5 participants
@wtfuzz @menardorama @sparrc @vidushis17 and others