From f736cbbdac4b64d3a74109b906f9675c2a7570ba Mon Sep 17 00:00:00 2001 From: Zsolt Parragi Date: Tue, 7 Apr 2026 17:48:10 +0000 Subject: [PATCH] libpq-oauth: Warn when PGOAUTHDEBUG trace may expose secrets PGOAUTHDEBUG trace logging prints raw HTTP traffic, which can include bearer tokens and client secrets. Bracket the trace output with warnings at the start and end of the OAuth flow so users know not to share it. --- src/interfaces/libpq-oauth/oauth-curl.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/interfaces/libpq-oauth/oauth-curl.c b/src/interfaces/libpq-oauth/oauth-curl.c index 7ba75fc6d04..62fb4d87489 100644 --- a/src/interfaces/libpq-oauth/oauth-curl.c +++ b/src/interfaces/libpq-oauth/oauth-curl.c @@ -3041,6 +3041,11 @@ pg_fe_run_oauth_flow(PGconn *conn, struct PGoauthBearerRequest *request, actx->dbg_num_calls); } + if ((actx->debug_flags & OAUTHDEBUG_UNSAFE_TRACE) + && (result == PGRES_POLLING_OK || result == PGRES_POLLING_FAILED)) + fprintf(stderr, + libpq_gettext("WARNING: PGOAUTHDEBUG trace output above may contain secrets. Do not share with third parties.\n")); + #ifndef WIN32 if (masked) { @@ -3096,6 +3101,10 @@ pg_start_oauthbearer(PGconn *conn, PGoauthBearerRequestV2 *request) /* Parse debug flags from the environment. */ actx->debug_flags = oauth_parse_debug_flags(); + if (actx->debug_flags & OAUTHDEBUG_UNSAFE_TRACE) + fprintf(stderr, + libpq_gettext("WARNING: PGOAUTHDEBUG trace is enabled. HTTP traffic (including secrets) will be logged.\n")); + initPQExpBuffer(&actx->work_data); initPQExpBuffer(&actx->errbuf); -- 2.43.0