Credential leaks on MySQL's dbshell crash

[Simon Charette]

I reported this issue to the security team on September 9th 2020 but it was deemed that it was better to handle it in public. On September 30th Charlie Denton also reported the issue to the security team hence why I'm finally creating a ticket for this so he also gets credit.

A variant of this issue was initially reported 5 years ago (#24999) where the reporter mentioned that usage of the --password flag when spawning a mysql shell process would show up in ps with the password in plain text.

What I'm reporting now is that if the dbshell management crash on backends that pass the --password flag in plain text (e.g. MySQL) the CalledProcessError exception raised will have the following signature

CalledProcessError: Command '['mysql', '--user=user', '--password=p4ssword', '--host=host', '--port=3306', 'database']' returned non-zero exit status 1.

That's not a big deal when no form of logging is in place but when it's the case (e.g. Sentry, Elastic, Graylog) it's possible for some systems to fail at obfuscating the --password= part due to the complex nature of the string.

In order to prevent that from happening I suggest we override ​MySQL backend's runshell method to pass env={'MYSQL_PWD': PASSWORD} instead of using the --password flag even if ​it looks like this is discouraged (and even meant to be deprecated?) for reasons similar to the ones mentioned in #24999. ​That's the exact approach currently used by the PostgreSQL backend though.

An alternative could be using the ​pexpect library to provide the password when prompted for instead but I fear this solution might not be suitable due to the external dependency it would incur. I haven't investigated how complex it would be to implement a cross-platform vendored solution without the use of pexpect but I fear dragons may lurk in the details of dealing with that properly.