query_masking_rules not work for exception messages at query_log

[alexsubota]

version 22.8.4.7

How to reproduce:

1. Add section to config.xml
   <query_masking_rules> <rule> <name>hide encrypt/decrypt arguments</name> <regexp>((?:aes_)?(?:encrypt|decrypt)(?:_mysql)?)\s*\(\s*(?:'(?:\\'|.)+'|.*?)\s*\)</regexp> <!-- or more secure, but also more invasive: (aes_\w+)\s*\(.*\) --> <replace>\1(???)</replace> </rule> </query_masking_rules>

2. Run query and get exception
   select decrypt('aes-256-ecb', 'my_text', 'mykey123451234512345123451234512');

3. Check query_log
   select exception, query from system.query_log where exception_code>0 order by event_time desc limit 1

Here we have masked query
select decrypt(???)
And not masked exception message
Code: 454. DB::Exception: Failed to decrypt. OpenSSL error code: 503316603: While processing decrypt('aes-256-ecb', 'my_text', 'mykey123451234512345123451234512'). (OPENSSL_ERROR) (version 22.8.4.7 (official build))
And for example, i can easily get encrypt key from the exception message

[alexey-milovidov]

This is a task for @filimonov who is responsible for supporting the "query masking rules" feature.

[filimonov]

Ack.