Skip to content

Commit 1ade285

Browse files
sean-jackc
andcommitted
pgconn: document secure connection configuration
Add a "Connecting Securely" section to the package doc showing a hardened connection string (sslmode=verify-full, channel_binding=require, require_auth=scram-sha-256) and explaining what each parameter protects against. Also expand the ParseConfig "Important Security Notes" to call out that servicefile, passfile, sslkey, sslcert, and sslrootcert read files from the local filesystem, and to point at ParseConfigWithOptions with ConnStringAllowedKeys for connection strings built from untrusted input. Documentation only; no functional change. Co-Authored-By: Jack Christensen <jack@jackchristensen.com>
1 parent b4d6d4d commit 1ade285

2 files changed

Lines changed: 35 additions & 0 deletions

File tree

pgconn/config.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -293,6 +293,15 @@ func NetworkAddress(host string, port uint16) (network, address string) {
293293
// changed later but the unencrypted fallback is present. Ensure there are no stale fallbacks when manually setting
294294
// TLSConfig.
295295
//
296+
// Several connection parameters cause ParseConfig to read files from the local filesystem: servicefile, passfile,
297+
// sslkey, sslcert, and sslrootcert. Applications that build connection strings from untrusted input must not allow
298+
// these keys to be set by that input. In particular, servicefile (which pgconn accepts in the connection string;
299+
// libpq does not) is read as an INI file whose entries override other connection settings including host, port, and
300+
// sslmode, so an attacker who controls servicefile and service can redirect the connection. If any portion of the
301+
// connection string is externally supplied, use ParseConfigWithOptions and set ParseConfigOptions.ConnStringAllowedKeys
302+
// to an allow-list of the keys that input is expected to supply; any other key in the connection string is then
303+
// rejected before any filesystem access occurs.
304+
//
296305
// Other known differences with libpq:
297306
//
298307
// When multiple hosts are specified, libpq allows them to have different passwords set via the .pgpass file. pgconn

pgconn/doc.go

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,32 @@ Establishing a Connection
88
Use Connect to establish a connection. It accepts a connection string in URL or keyword/value format and will read the
99
environment for libpq style environment variables.
1010
11+
Connecting Securely
12+
13+
By default ParseConfig matches libpq and uses sslmode=prefer, which silently falls back to an unencrypted connection
14+
if the server does not offer TLS. For connections that traverse an untrusted network, set the following parameters
15+
explicitly:
16+
17+
# URL form
18+
postgres://user@db.example.com/mydb?sslmode=verify-full&sslrootcert=/path/to/root.crt&channel_binding=require&require_auth=scram-sha-256
19+
20+
# keyword/value form
21+
host=db.example.com user=user dbname=mydb sslmode=verify-full sslrootcert=/path/to/root.crt channel_binding=require require_auth=scram-sha-256
22+
23+
sslmode=verify-full Require TLS, verify the server certificate against sslrootcert, and verify that the
24+
certificate's host name matches the host being connected to. Weaker modes (disable,
25+
allow, prefer, require) either permit plaintext fallback or skip certificate
26+
verification, allowing a network attacker to impersonate the server.
27+
channel_binding=require Require SCRAM-SHA-256-PLUS, which binds the authentication exchange to the TLS channel
28+
so that a TLS-terminating intermediary cannot relay credentials to the real server.
29+
require_auth=scram-sha-256
30+
Refuse to respond to AuthenticationCleartextPassword or AuthenticationMD5Password
31+
requests from the server. Without this, a server (or interceptor) can request the
32+
password in cleartext and the client will send it.
33+
34+
These parameters may also be set via the PGSSLMODE, PGSSLROOTCERT, PGCHANNELBINDING, and PGREQUIREAUTH environment
35+
variables.
36+
1137
Executing a Query
1238
1339
ExecParams and ExecPrepared execute a single query. They return readers that iterate over each row. The Read method

0 commit comments

Comments
 (0)