cdc: mask sink uri secrets in errors

Author: asddongmen

cdc/api/v1/validator.go

@@ -112,7 +112,10 @@ func verifyCreateChangefeedConfig(
 	// verify replicaConfig
 	sinkURIParsed, err := url.Parse(changefeedConfig.SinkURI)
 	if err != nil {
-		return nil, cerror.WrapError(cerror.ErrSinkURIInvalid, err)
+		return nil, cerror.WrapError(
+			cerror.ErrSinkURIInvalid,
+			util.MaskSensitiveDataInURLError(err),
+			util.MaskSensitiveDataInURIForError(changefeedConfig.SinkURI))
 	}
 	err = replicaConfig.ValidateAndAdjust(sinkURIParsed)
 	if err != nil {

cdc/api/v2/api_helpers.go

@@ -213,7 +213,10 @@ func (h APIV2HelpersImpl) verifyCreateChangefeedConfig(
 	// verify replicaConfig
 	sinkURIParsed, err := url.Parse(cfg.SinkURI)
 	if err != nil {
-		return nil, cerror.WrapError(cerror.ErrSinkURIInvalid, err)
+		return nil, cerror.WrapError(
+			cerror.ErrSinkURIInvalid,
+			util.MaskSensitiveDataInURLError(err),
+			util.MaskSensitiveDataInURIForError(cfg.SinkURI))
 	}
 	err = replicaCfg.ValidateAndAdjust(sinkURIParsed)
 	if err != nil {
@@ -343,6 +346,10 @@ func (h APIV2HelpersImpl) verifyUpdateChangefeedConfig(
 		}
 		sinkURIParsed, err := url.Parse(sinkURI)
 		if err != nil {
+			err = cerror.WrapError(
+				cerror.ErrSinkURIInvalid,
+				util.MaskSensitiveDataInURLError(err),
+				util.MaskSensitiveDataInURIForError(sinkURI))
 			return nil, nil, cerror.ErrChangefeedUpdateRefused.GenWithStackByCause(err)
 		}
 		err = newInfo.Config.ValidateAndAdjust(sinkURIParsed)

cdc/api/v2/changefeed.go

@@ -367,7 +367,10 @@ func (h *OpenAPIV2) verifyTable(c *gin.Context) {
 
 	uri, err := url.Parse(cfg.SinkURI)
 	if err != nil {
-		_ = c.Error(err)
+		_ = c.Error(cerror.WrapError(
+			cerror.ErrSinkURIInvalid,
+			util.MaskSensitiveDataInURLError(err),
+			util.MaskSensitiveDataInURIForError(cfg.SinkURI)))
 		return
 	}
 	scheme := uri.Scheme

cdc/model/changefeed.go

@@ -348,7 +348,7 @@ func (info *ChangeFeedInfo) RmUnusedFields() {
 		log.Warn(
 			"failed to parse the sink uri",
 			zap.Error(err),
-			zap.Any("sinkUri", info.SinkURI),
+			zap.Any("sinkURI", util.MaskSensitiveDataInURIForError(info.SinkURI)),
 		)
 		return
 	}
@@ -488,7 +488,7 @@ func (info *ChangeFeedInfo) fixState() {
 func (info *ChangeFeedInfo) fixMySQLSinkProtocol() {
 	uri, err := url.Parse(info.SinkURI)
 	if err != nil {
-		log.Warn("parse sink URI failed", zap.Error(err))
+		log.Warn("parse sink URI failed", zap.Error(util.MaskSensitiveDataInURLError(err)))
 		// SAFETY: It is safe to ignore this unresolvable sink URI here,
 		// as it is almost impossible for this to happen.
 		// If we ignore it when fixing it after it happens,
@@ -518,7 +518,7 @@ func (info *ChangeFeedInfo) fixMySQLSinkProtocol() {
 func (info *ChangeFeedInfo) fixMQSinkProtocol() {
 	uri, err := url.Parse(info.SinkURI)
 	if err != nil {
-		log.Warn("parse sink URI failed", zap.Error(err))
+		log.Warn("parse sink URI failed", zap.Error(util.MaskSensitiveDataInURLError(err)))
 		return
 	}
 

cdc/processor/processor.go

@@ -591,7 +591,10 @@ func (p *processor) tick(ctx context.Context) (error, error) {
 func isMysqlCompatibleBackend(sinkURIStr string) (bool, error) {
 	sinkURI, err := url.Parse(sinkURIStr)
 	if err != nil {
-		return false, cerror.WrapError(cerror.ErrSinkURIInvalid, err)
+		return false, cerror.WrapError(
+			cerror.ErrSinkURIInvalid,
+			util.MaskSensitiveDataInURLError(err),
+			util.MaskSensitiveDataInURIForError(sinkURIStr))
 	}
 	scheme := sink.GetScheme(sinkURI)
 	return sink.IsMySQLCompatibleScheme(scheme), nil
@@ -609,7 +612,10 @@ func isMysqlCompatibleBackend(sinkURIStr string) (bool, error) {
 func getPullerSplitUpdateMode(sinkURIStr string, config *config.ReplicaConfig) (sourcemanager.PullerSplitUpdateMode, error) {
 	sinkURI, err := url.Parse(sinkURIStr)
 	if err != nil {
-		return sourcemanager.PullerSplitUpdateModeNone, cerror.WrapError(cerror.ErrSinkURIInvalid, err)
+		return sourcemanager.PullerSplitUpdateModeNone, cerror.WrapError(
+			cerror.ErrSinkURIInvalid,
+			util.MaskSensitiveDataInURLError(err),
+			util.MaskSensitiveDataInURIForError(sinkURIStr))
 	}
 	scheme := sink.GetScheme(sinkURI)
 	if !sink.IsMySQLCompatibleScheme(scheme) {

cdc/sink/ddlsink/factory/factory.go

@@ -43,7 +43,10 @@ func New(
 ) (ddlsink.Sink, error) {
 	sinkURI, err := url.Parse(sinkURIStr)
 	if err != nil {
-		return nil, cerror.WrapError(cerror.ErrSinkURIInvalid, err)
+		return nil, cerror.WrapError(
+			cerror.ErrSinkURIInvalid,
+			util.MaskSensitiveDataInURLError(err),
+			util.MaskSensitiveDataInURIForError(sinkURIStr))
 	}
 	scheme := sink.GetScheme(sinkURI)
 	switch scheme {

cdc/sink/dmlsink/factory/factory.go

@@ -75,7 +75,10 @@ func New(
 ) (*SinkFactory, error) {
 	sinkURI, err := url.Parse(sinkURIStr)
 	if err != nil {
-		return nil, cerror.WrapError(cerror.ErrSinkURIInvalid, err)
+		return nil, cerror.WrapError(
+			cerror.ErrSinkURIInvalid,
+			util.MaskSensitiveDataInURLError(err),
+			util.MaskSensitiveDataInURIForError(sinkURIStr))
 	}
 
 	s := &SinkFactory{}

cdc/sink/validator/validator.go

@@ -74,7 +74,7 @@ func checkSyncPointSchemeCompatibility(
 		return cerror.ErrSinkURIInvalid.
 			GenWithStack(
 				"sink uri scheme is not supported with syncpoint enabled"+
-					"sink uri: %s", uri,
+					"sink uri: %s", util.MaskSensitiveDataInURIForError(uri.String()),
 			)
 	}
 	return nil
@@ -90,7 +90,10 @@ func preCheckSinkURI(sinkURIStr string) (*url.URL, error) {
 
 	sinkURI, err := url.Parse(sinkURIStr)
 	if err != nil {
-		return nil, cerror.WrapError(cerror.ErrSinkURIInvalid, err)
+		return nil, cerror.WrapError(
+			cerror.ErrSinkURIInvalid,
+			util.MaskSensitiveDataInURLError(err),
+			util.MaskSensitiveDataInURIForError(sinkURIStr))
 	}
 
 	// Check if we use the correct IPv6 address format.

cdc/sink/validator/validator_test.go

@@ -27,9 +27,10 @@ func TestPreCheckSinkURI(t *testing.T) {
 	t.Parallel()
 
 	tests := []struct {
-		name string
-		uri  string
-		err  string
+		name        string
+		uri         string
+		err         string
+		notContains string
 	}{
 		{
 			name: "valid domain MySQL URI",
@@ -76,6 +77,12 @@ func TestPreCheckSinkURI(t *testing.T) {
 			uri:  "kafka://3333:10:9:101::204:9092/topic1",
 			err:  "sink uri host is not valid IPv6 address",
 		},
+		{
+			name:        "invalid escaped URI masks password",
+			uri:         "mysql://root:verysecure@127.0.0.1/%zz",
+			err:         `parse "<invalid uri>"`,
+			notContains: "verysecure",
+		},
 	}
 
 	for _, tt := range tests {
@@ -85,6 +92,9 @@ func TestPreCheckSinkURI(t *testing.T) {
 			_, err := preCheckSinkURI(test.uri)
 			if test.err != "" {
 				require.Contains(t, err.Error(), test.err)
+				if test.notContains != "" {
+					require.NotContains(t, err.Error(), test.notContains)
+				}
 			} else {
 				require.NoError(t, err)
 			}
@@ -126,4 +136,12 @@ func TestValidateSink(t *testing.T) {
 		t, err.Error(),
 		"sink uri scheme is not supported with syncpoint enabled",
 	)
+	require.NotContains(t, err.Error(), "verysecure")
+	require.NotContains(t, err.Error(), "sasl-password=verysecure")
+
+	sinkURI = "kafka://127.0.0.1:9092/topic?sasl-password=verysecure"
+	err = Validate(ctx, model.DefaultChangeFeedID("test"), sinkURI, replicateConfig, nil)
+	require.NotNil(t, err)
+	require.Contains(t, err.Error(), "sasl-password=xxxxx")
+	require.NotContains(t, err.Error(), "verysecure")
 }

cdc/syncpointstore/syncpoint_store.go

@@ -21,6 +21,7 @@ import (
 	"github.com/pingcap/tiflow/cdc/model"
 	"github.com/pingcap/tiflow/pkg/config"
 	cerror "github.com/pingcap/tiflow/pkg/errors"
+	"github.com/pingcap/tiflow/pkg/util"
 )
 
 // SyncPointStore is an abstraction for anything that a changefeed may emit into.
@@ -45,7 +46,10 @@ func NewSyncPointStore(
 	// parse sinkURI as a URI
 	sinkURI, err := url.Parse(sinkURIStr)
 	if err != nil {
-		return nil, cerror.WrapError(cerror.ErrSinkURIInvalid, err)
+		return nil, cerror.WrapError(
+			cerror.ErrSinkURIInvalid,
+			util.MaskSensitiveDataInURLError(err),
+			util.MaskSensitiveDataInURIForError(sinkURIStr))
 	}
 	switch strings.ToLower(sinkURI.Scheme) {
 	case "mysql", "tidb", "mysql+ssl", "tidb+ssl":