CNDB-15280: Remove user data from AbstractReadQuery.toCQLString #2038
+698
−306
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Checklist before you submit for review
|
adelapena
force-pushed
the
CNDB-15280-main
branch
from
ae827cd to
c2702c7
Compare
Replace column values by '?' when converting internal read queries to CQL, so user data don't end up in logs or any other unprotected place. # Conflicts: # src/java/org/apache/cassandra/db/Clustering.java # src/java/org/apache/cassandra/db/Slices.java
adelapena
force-pushed
the
CNDB-15280-main-redaction
branch
from
c5339f8 to
2c07844
Compare
|
✔️ Build ds-cassandra-pr-gate/PR-2038 approved by ButlerApproved by Butler |
adelapena
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The method
AbstractReadQuery.toCQLStringprints commands as CQL queries including any column values. This includes the queried values in theWHEREpart of aSELECTstatement or the written values onINSERTandUPDATEstatement. This method is used at least by the slow query logger, printing user data into the logs.This PR modifies
AbstractReadQuery.toCQLStringso it doesn't include column values. There is a boolean flag to opt-out from redaction, since seeing the queried values can be useful while debugging.The criteria for what should be redacted is:
InvalidRequestException, query tracing (Tracing.trace) and genericObject#toString()methods.AbstractReadQuery.toCQLString, which is used for example by the slow query logger. However, there are still plenty of other things that print user data, for example partition keys. Discussion here: https://datastax.slack.com/archives/C05LHP4HX5J/p1757687570882049?thread_ts=1757533116.788859&cid=C05LHP4HX5JAt reviewer's request, this PR separately adds redaction over the tightly related changes in
toCQLStringmethods done by this other PR. That PR originally combined both things in separate commits, and it already had multiple review comments regarding changes that now are in this PR.