fix: sanitize credentials from connection string parsing errors (#319)

Copilot · dlevy-msft-sql · web-flow · commit 93f5ef0dd5f0 · 2026-03-05T13:45:02.000-06:00
Prevent leaking usernames and passwords in error messages when URL parsing fails.
The original url.Parse error could include the full connection string with credentials.

- Replace url.Parse error with generic message
- Add tests using testify to verify credentials are not leaked

Co-authored-by: David Levy &lt;dlevy@microsoft.com&gt;
diff --git a/msdsn/conn_str.go b/msdsn/conn_str.go
@@ -647,7 +647,7 @@ func Parse(dsn string) (Config, error) {
 	if !ok {
 		epaString = os.Getenv("MSSQL_USE_EPA")
 	}
-	if epaString !=  "" {
+	if epaString != "" {
 		epaEnabled, err := strconv.ParseBool(epaString)
 		if err != nil {
 			return p, fmt.Errorf("invalid epa enabled value '%s': %v", epaString, err)
@@ -836,7 +836,8 @@ func splitConnectionStringURL(dsn string) (map[string]string, error) {
 
 	u, err := url.Parse(dsn)
 	if err != nil {
-		return res, err
+		// Do not include the original error which may contain credentials
+		return res, fmt.Errorf("unable to parse connection string: invalid URL format")
 	}
 
 	if u.Scheme != "sqlserver" {
diff --git a/msdsn/conn_str_test.go b/msdsn/conn_str_test.go
@@ -53,6 +53,42 @@ func TestInvalidConnectionString(t *testing.T) {
 	}
 }
 
+func TestCredentialNotLeakedInError(t *testing.T) {
+	// Test that when url.Parse fails, the error message does not contain credentials
+	testCases := []struct {
+		name     string
+		connStr  string
+		username string
+		password string
+	}{
+		{
+			name:     "URL with invalid control character",
+			connStr:  "sqlserver://myuser:secretpassword@host:1433\x00invalid",
+			username: "myuser",
+			password: "secretpassword",
+		},
+		{
+			name:     "URL with password and null byte in query",
+			connStr:  "sqlserver://admin:mysecret123@server.example.com:1433?database=test\x00",
+			username: "admin",
+			password: "mysecret123",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := Parse(tc.connStr)
+			if !assert.Error(t, err, "Expected error for invalid connection string") {
+				return
+			}
+
+			errMsg := err.Error()
+			assert.NotContains(t, errMsg, tc.password, "Error message should not contain password")
+			assert.NotContains(t, errMsg, tc.username, "Error message should not contain username")
+		})
+	}
+}
+
 func TestValidConnectionString(t *testing.T) {
 	type testStruct struct {
 		connStr string
