fix(jdbc): avoid String.format in log calls#4096
Conversation
product-auto-label
Bot
added
size: l
logachev
force-pushed
the
kirl/format_logging
branch
from
99949c1 to
8d758f8
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request aims to improve logging performance by avoiding unnecessary String.format calls and introducing new logger methods for lazy parameterized message handling. However, a critical security vulnerability has been identified: the driver logs sensitive data (including auth tokens, passwords, and query parameter values) at the INFO level, leading to high-severity sensitive data exposure. Additionally, a critical bug was introduced in BigQueryDatabaseMetaData.java where the schemaRegex variable was removed but is still referenced, which will cause a compilation error. Beyond these, the refactoring for String.format calls appears incomplete in BigQueryDatabaseMetaData.java, a functional change removed a null-check in the same file, and a typo was introduced in a log message in PooledConnectionListener.java.
I am having trouble creating individual review comments. Click here to see my feedback.
google-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryJdbcUrlUtility.java (604)
The appendPropertiesToURL method logs all connection properties at the INFO level. These properties can include highly sensitive information such as OAuthAccessToken, OAuthRefreshToken, and ProxyPwd. Logging these secrets in plain text poses a significant security risk as they may be accessible to unauthorized individuals through log files or monitoring systems. It is recommended to change the log level to FINEST or implement a masking mechanism for sensitive keys.
LOG.finest("Appending %s with value %s to URL", entry.getKey(), entry.getValue());
google-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryParameterHandler.java (62-64)
The configureParameters method logs the values of all query parameters at the INFO level. If a query contains sensitive data (e.g., passwords, PII) as parameters, this information will be written to the logs in plain text. It is recommended to change the log level to FINEST to ensure these values are only logged when deep debugging is enabled, consistent with other parts of the driver.
LOG.finest(
"Parameter %s of type %s at index %s added to QueryJobConfiguration",
parameterValue, sqlType, i);
google-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/BigQueryDatabaseMetaData.java (786-791)
This check for null/empty catalog and empty patterns was removed. This seems to be an unintended functional change as part of a logging refactoring. Other similar methods like getProcedureColumns retain this check. Removing it might lead to unexpected behavior or NullPointerExceptions if catalog is null and used later. Please consider if this removal was intentional.
google-cloud-bigquery-jdbc/src/main/java/com/google/cloud/bigquery/jdbc/PooledConnectionListener.java (121)
There appears to be a typo in this log message. 'dor:' should likely be 'due to error:'.
LOG.finest("Removed pooled connection from connection pool due to error: %s", errorMessage);
8d758f8 to
4853e99
Compare
logachev
force-pushed
the
kirl/format_logging
branch
from
4853e99 to
cb6949b
Compare
There was a problem hiding this comment.
Code Review
This pull request aims to improve logging performance by removing explicit String.format calls and using deferred formatting. While this is a good practice, a critical security vulnerability was identified: sensitive information, including full connection URLs with credentials and query parameter values, is being logged. The most critical findings involve logging the full connection URL at fine and warning levels in BigQueryJdbcUrlUtility.java, which poses a significant security risk. Additionally, the implementation of new logging methods in BigQueryJdbcCustomLogger can be made more efficient, and there are still instances where string concatenation happens before the log call, and some String.format calls were missed during the refactoring.
logachev
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
3 participants
Add wrappers for log calls requiring String.format() to ensure it is not used directly but passed to the lambda instead.
Update all logging that was using System.format() to use new wrappers. I see some perf gains for both rest & read APIs (~10-15% rows/second, but would wait for internal perf framework runs to have a better idea)