Security: simplify defineProperty non-enumerables

Lewiscowles1986 · brianc · commit fd2c3563a57f · 2020-10-20T12:53:25.000-05:00
* `password` already has this set, but was a little long considering we only want to override default of one property
* `ssl.key` was showing up in tracebacks
diff --git a/packages/pg-pool/index.js b/packages/pg-pool/index.js
@@ -73,6 +73,14 @@ class Pool extends EventEmitter {
         value: options.password,
       })
     }
+    if (options != null && options.ssl && options.ssl.key) {
+      // "hiding" the ssl->key so it doesn't show up in stack traces
+      // or if the client is console.logged
+      this.options.ssl.key = options.ssl.key
+      Object.defineProperty(this.options.ssl, 'key', {
+        enumerable: false,
+      })
+    }
 
     this.options.max = this.options.max || this.options.poolSize || 10
     this.options.maxUses = this.options.maxUses || Infinity
diff --git a/packages/pg/lib/client.js b/packages/pg/lib/client.js
@@ -57,6 +57,15 @@ class Client extends EventEmitter {
     this.processID = null
     this.secretKey = null
     this.ssl = this.connectionParameters.ssl || false
+    // As with Password, make SSL->Key (the private key) non-enumerable.
+    // It won't show up in stack traces
+    // or if the client is console.logged
+    if (this.ssl && this.ssl.key) {
+      Object.defineProperty(this.ssl, 'key', {
+        enumerable: false,
+      })
+    }
+
     this._connectionTimeoutMillis = c.connectionTimeoutMillis || 0
   }
 
diff --git a/packages/pg/lib/connection-parameters.js b/packages/pg/lib/connection-parameters.js
@@ -84,6 +84,11 @@ class ConnectionParameters {
     if (this.ssl === 'no-verify') {
       this.ssl = { rejectUnauthorized: false }
     }
+    if (this.ssl && this.ssl.key) {
+      Object.defineProperty(this.ssl, 'key', {
+        enumerable: false,
+      })
+    }
 
     this.client_encoding = val('client_encoding', config)
     this.replication = val('replication', config)
