version 22.8.4.7
How to reproduce:
-
Add section to config.xml
<query_masking_rules> <rule> <name>hide encrypt/decrypt arguments</name> <regexp>((?:aes_)?(?:encrypt|decrypt)(?:_mysql)?)\s*\(\s*(?:'(?:\\'|.)+'|.*?)\s*\)</regexp> <!-- or more secure, but also more invasive: (aes_\w+)\s*\(.*\) --> <replace>\1(???)</replace> </rule> </query_masking_rules>
-
Run query and get exception
select decrypt('aes-256-ecb', 'my_text', 'mykey123451234512345123451234512');
-
Check query_log
select exception, query from system.query_log where exception_code>0 order by event_time desc limit 1
Here we have masked query
select decrypt(???)
And not masked exception message
Code: 454. DB::Exception: Failed to decrypt. OpenSSL error code: 503316603: While processing decrypt('aes-256-ecb', 'my_text', 'mykey123451234512345123451234512'). (OPENSSL_ERROR) (version 22.8.4.7 (official build))
And for example, i can easily get encrypt key from the exception message
version 22.8.4.7
How to reproduce:
Add section to config.xml
<query_masking_rules> <rule> <name>hide encrypt/decrypt arguments</name> <regexp>((?:aes_)?(?:encrypt|decrypt)(?:_mysql)?)\s*\(\s*(?:'(?:\\'|.)+'|.*?)\s*\)</regexp> <!-- or more secure, but also more invasive: (aes_\w+)\s*\(.*\) --> <replace>\1(???)</replace> </rule> </query_masking_rules>Run query and get exception
select decrypt('aes-256-ecb', 'my_text', 'mykey123451234512345123451234512');Check query_log
select exception, query from system.query_log where exception_code>0 order by event_time desc limit 1Here we have masked query
select decrypt(???)And not masked exception message
Code: 454. DB::Exception: Failed to decrypt. OpenSSL error code: 503316603: While processing decrypt('aes-256-ecb', 'my_text', 'mykey123451234512345123451234512'). (OPENSSL_ERROR) (version 22.8.4.7 (official build))And for example, i can easily get encrypt key from the exception message