保護DataHogo
Security Encyclopedia/Database Connections
highCWE-532OWASP A09:2021

Database Credentials in Environment Logs

Your DATABASE_URL or database password gets printed to application logs via console.log or error messages, exposing credentials to anyone with log access.

How It Works

It often happens by accident: an uncaught exception handler logs the full error object, which includes the connection string in the stack trace. Or a developer adds console.log(process.env) for debugging and forgets to remove it. Cloud logging services like Datadog, CloudWatch, or Vercel logs capture everything — and log access is often broader than database access.

Vulnerable Code
// BAD: logging the full error object which may include the connection string
pool.on('error', (err) => {
  console.error('Unexpected error on idle client', err); // err may contain DATABASE_URL
});
// Also BAD: debugging env vars
console.log('Config:', process.env); // logs DATABASE_URL and all secrets
Secure Code
// GOOD: log only safe, non-sensitive error information
pool.on('error', (err) => {
  // Log the error code and message, not the full error object
  console.error('DB pool error:', { code: err.code, message: err.message });
});
// Never log process.env — log only what you need

Real-World Example

A startup had their entire Sentry error log contain DATABASE_URL in every single error report because their global error handler logged the Express request object, which included process.env as middleware had attached it. Their DB password was in Sentry for 6 months before discovery.

How to Prevent It

  • Never log process.env, req.headers, or full error objects that may contain connection strings
  • Use structured logging with explicit field selection — only log fields you've explicitly chosen
  • Add DATABASE_URL and other secrets to your log scrubbing/redaction config in Sentry, Datadog, etc.
  • Audit your logs periodically for accidentally logged secrets using tools like detect-secrets
  • Set up alerts for log entries that match patterns like postgresql:// or password=

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Unencrypted Database Connection

high

Your database connection doesn't use SSL/TLS, meaning all queries and results travel over the network in plaintext and can be intercepted.

CWE-319OWASP A02:2021

Database Publicly Accessible

critical

Your database is bound to 0.0.0.0 or exposed on a public IP without a VPC or firewall, making it directly reachable from the internet.

CWE-284OWASP A05:2021

Default Database Credentials

critical

Your database uses factory-default credentials like postgres:postgres, root:root, or admin:admin — the first thing any attacker tries.

CWE-1392OWASP A07:2021

Connection String with Inline Password

high

A database connection string with a plaintext password is hardcoded in your source code, committing your database credentials to version control.

CWE-312OWASP A02:2021