fix(bunconnect): obfuscate postgres credentials in logs

Prevent database credentials from being exposed in plain text in debug
logs and String() output by masking the password in DSN strings.

Closes EN-576

Author: flemzord

bun/bunconnect/connect.go

@@ -26,7 +26,18 @@ type ConnectionOptions struct {
 
 func (opts ConnectionOptions) String() string {
 	return fmt.Sprintf("dsn=%s, max-idle-conns=%d, max-open-conns=%d, conn-max-idle-time=%s, conn-max-lifetime=%s",
-		opts.DatabaseSourceName, opts.MaxIdleConns, opts.MaxOpenConns, opts.ConnMaxIdleTime, opts.ConnMaxLifetime)
+		obfuscateDSN(opts.DatabaseSourceName), opts.MaxIdleConns, opts.MaxOpenConns, opts.ConnMaxIdleTime, opts.ConnMaxLifetime)
+}
+
+func obfuscateDSN(dsn string) string {
+	u, err := url.Parse(dsn)
+	if err != nil {
+		return "***"
+	}
+	if u.User != nil {
+		u.User = url.UserPassword(u.User.Username(), "****")
+	}
+	return u.String()
 }
 
 func OpenSQLDB(ctx context.Context, options ConnectionOptions, hooks ...bun.QueryHook) (*bun.DB, error) {
@@ -35,13 +46,13 @@ func OpenSQLDB(ctx context.Context, options ConnectionOptions, hooks ...bun.Quer
 		err   error
 	)
 	if options.Connector == nil {
-		logging.FromContext(ctx).Debugf("Opening database with default connector and dsn: '%s'", options.DatabaseSourceName)
+		logging.FromContext(ctx).Debugf("Opening database with default connector and dsn: '%s'", obfuscateDSN(options.DatabaseSourceName))
 		sqldb, err = sql.Open("pgx", options.DatabaseSourceName)
 		if err != nil {
 			return nil, err
 		}
 	} else {
-		logging.FromContext(ctx).Debugf("Opening database with connector and dsn: '%s'", options.DatabaseSourceName)
+		logging.FromContext(ctx).Debugf("Opening database with connector and dsn: '%s'", obfuscateDSN(options.DatabaseSourceName))
 		connector, err := options.Connector(options.DatabaseSourceName)
 		if err != nil {
 			return nil, err

bun/bunconnect/connect_test.go

@@ -0,0 +1,53 @@
+package bunconnect
+
+import (
+	"testing"
+)
+
+func TestObfuscateDSN(t *testing.T) {
+	tests := []struct {
+		name     string
+		dsn      string
+		expected string
+	}{
+		{
+			name:     "with user and password",
+			dsn:      "postgres://user:secret@localhost:5432/mydb",
+			expected: "postgres://user:%2A%2A%2A%2A@localhost:5432/mydb",
+		},
+		{
+			name:     "with user only",
+			dsn:      "postgres://user@localhost:5432/mydb",
+			expected: "postgres://user:%2A%2A%2A%2A@localhost:5432/mydb",
+		},
+		{
+			name:     "without credentials",
+			dsn:      "postgres://localhost:5432/mydb",
+			expected: "postgres://localhost:5432/mydb",
+		},
+		{
+			name:     "with query params",
+			dsn:      "postgres://user:secret@localhost:5432/mydb?sslmode=disable",
+			expected: "postgres://user:%2A%2A%2A%2A@localhost:5432/mydb?sslmode=disable",
+		},
+		{
+			name:     "invalid dsn",
+			dsn:      "://invalid",
+			expected: "***",
+		},
+		{
+			name:     "empty string",
+			dsn:      "",
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := obfuscateDSN(tt.dsn)
+			if got != tt.expected {
+				t.Errorf("obfuscateDSN(%q) = %q, want %q", tt.dsn, got, tt.expected)
+			}
+		})
+	}
+}