Prevent sqlalchemy's lack of url encoding from leaking passwords

Switches away from using `str(engine_instance.engine)` for rendering connection strings, in order to prevent passwords containing characters such as `#` from leaking. The name of the segment will contain the password if this character is used, likely others as well. See: https://bugs.python.org/issue18140 and encode/database#145 The code in question is here: sqlalchemy/sqlalchemy/blob/aea28a9/lib/sqlalchemy/engine/url.py#L597-L630
yurisich · Sep 26, 2023 · 9f22fff · 9f22fff
1 parent d9fec7d
commit 9f22fff
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/aws_xray_sdk/ext/sqlalchemy_core/patch.py b/aws_xray_sdk/ext/sqlalchemy_core/patch.py
@@ -14,7 +14,7 @@
 def _sql_meta(engine_instance, args):
     try:
         metadata = {}
-        url = urlparse(str(engine_instance.engine.url))
+        url = urlparse(engine_instance.engine.render_as_string())
         # Add Scheme to uses_netloc or // will be missing from url.
         uses_netloc.append(url.scheme)
         if url.password is None: