include::../../../shared_content/secrets/description.adoc[] == Why is this an issue? include::../../../shared_content/secrets/rationale.adoc[] === What is the potential impact? Passwords in PostgreSQL are used to authenticate users against the database engine. They are associated with user accounts that are granted specific permissions over the database and its hosted data. If a PostgreSQL password leaks to an unintended audience, it can have serious consequences for the security of your database, the data stored within it, and the applications that rely on it. include::../../../shared_content/secrets/impact/data_compromise.adoc[] ==== Security downgrade Applications relying on a PostgreSQL database instance can suffer a security downgrade if an access password is leaked to attackers. Depending on the purposes the application uses the database for, consequences can range from low-severity issues, like defacement, to complete compromise. For example, if the PostgreSQL instance is used as part of the authentication process of an application, attackers with access to the database will likely be able to bypass this security mechanism. == How to fix it include::../../../shared_content/secrets/fix/revoke.adoc[] include::../../../shared_content/secrets/fix/recent_use.adoc[] By default, no connection information is logged by PostgreSQL server. The `log_connections` parameter must be set to `true` in the server configuration for this to happen. include::../../../shared_content/secrets/fix/vault.adoc[] include::../../../shared_content/secrets/fix/default.adoc[] === Code examples ==== Noncompliant code example [source,python,diff-id=1,diff-type=noncompliant] ---- uri = "postgres://foouser:foopass@example.com/testdb" ---- ==== Compliant solution [source,python,diff-id=1,diff-type=compliant] ---- import os user = os.environ["PG_USER"] password = os.environ["PG_PASSWORD"] uri = f"postgres://{user}:{password}@example.com/testdb" ---- //=== How does this work? //=== Pitfalls //=== Going the extra mile == Resources include::../../../shared_content/secrets/resources/standards.adoc[] === Documentation * PostgreSQL Documentation - https://www.postgresql.org/docs/15/client-authentication.html[Client Authentication] * PostgreSQL Documentation - https://www.postgresql.org/docs/current/runtime-config-logging.html[Error Reporting and Logging] //=== Benchmarks