ydb-platform · asmyasnikov · Dec 8, 2025 · Dec 5, 2025 · Dec 5, 2025 · Dec 5, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,5 @@
+* Excluded the sensitive credential data in the connection string (DSN, data source name) from error messages for security reasons
+
 ## v3.121.0
 * Changed internal pprof label to pyroscope supported format
 * Added `query.ImplicitTxControl()` transaction control (the same as `query.NoTx()` and `query.EmptyTxControl()`). See more about implicit transactions on [ydb.tech](https://ydb.tech/docs/en/concepts/transactions?version=v25.2#implicit)

diff --git a/driver.go b/driver.go
@@ -31,6 +31,7 @@ import (
 	schemeConfig "github.com/ydb-platform/ydb-go-sdk/v3/internal/scheme/config"
 	internalScripting "github.com/ydb-platform/ydb-go-sdk/v3/internal/scripting"
 	scriptingConfig "github.com/ydb-platform/ydb-go-sdk/v3/internal/scripting/config"
+	"github.com/ydb-platform/ydb-go-sdk/v3/internal/secret"
 	"github.com/ydb-platform/ydb-go-sdk/v3/internal/stack"
 	internalTable "github.com/ydb-platform/ydb-go-sdk/v3/internal/table"
 	tableConfig "github.com/ydb-platform/ydb-go-sdk/v3/internal/table/config"
@@ -290,7 +291,7 @@ func Open(ctx context.Context, dsn string, opts ...Option) (_ *Driver, _ error)
 		if parser := dsnParsers[parserIdx]; parser != nil {
 			optsFromParser, err := parser(dsn)
 			if err != nil {
-				return nil, xerrors.WithStackTrace(fmt.Errorf("data source name '%s' wrong: %w", dsn, err))
+				return nil, xerrors.WithStackTrace(fmt.Errorf("data source name '%s' wrong: %w", secret.DSN(dsn), err))
 			}
 			opts = append(opts, optsFromParser...)
 		}

diff --git a/internal/secret/dsn.go b/internal/secret/dsn.go
@@ -0,0 +1,30 @@
+package secret
+
+import (
+	"net/url"
+
+	"github.com/ydb-platform/ydb-go-sdk/v3/pkg/xstring"
+)
+
+func DSN(dsn string) string {
+	u, err := url.Parse(dsn)
+	if err != nil {
+		return dsn
+	}
+
+	values := u.Query()
+	delete(values, "login")
+	delete(values, "user")
+	delete(values, "password")
+
+	buffer := xstring.Buffer()
+	defer buffer.Free()
+
+	buffer.WriteString(u.Scheme + "://" + u.Host + u.Path)
+
+	if len(values) > 0 {
+		buffer.WriteString("?" + values.Encode())
+	}
+
+	return buffer.String()
+}
diff --git a/internal/secret/dsn_test.go b/internal/secret/dsn_test.go
@@ -0,0 +1,35 @@
+package secret
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestDSN(t *testing.T) {
+	for _, tt := range []struct {
+		src string
+		res string
+	}{
+		{
+			src: "grpc://debuguser:debugpassword@localhost:2136/local1",
+			res: "grpc://localhost:2136/local1",
+		},
+		{
+			src: "grpc://localhost:2136/local1?user=debuguser&password=debugpassword",
+			res: "grpc://localhost:2136/local1",
+		},
+		{
+			src: "grpc://localhost:2136/local1?login=debuguser&password=debugpassword",
+			res: "grpc://localhost:2136/local1",
+		},
+		{
+			src: "grpc://localhost:2136/local1?param1=value1&login=debuguser&param2=value2&password=debugpassword&param2=value3",
+			res: "grpc://localhost:2136/local1?param1=value1&param2=value2&param2=value3",
+		},
+	} {
+		t.Run(tt.src, func(t *testing.T) {
+			require.Equal(t, tt.res, DSN(tt.src))
+		})
+	}
+}
diff --git a/options.go b/options.go
@@ -21,6 +21,7 @@ import (
 	ratelimiterConfig "github.com/ydb-platform/ydb-go-sdk/v3/internal/ratelimiter/config"
 	schemeConfig "github.com/ydb-platform/ydb-go-sdk/v3/internal/scheme/config"
 	scriptingConfig "github.com/ydb-platform/ydb-go-sdk/v3/internal/scripting/config"
+	"github.com/ydb-platform/ydb-go-sdk/v3/internal/secret"
 	tableConfig "github.com/ydb-platform/ydb-go-sdk/v3/internal/table/config"
 	"github.com/ydb-platform/ydb-go-sdk/v3/internal/xerrors"
 	"github.com/ydb-platform/ydb-go-sdk/v3/internal/xsql"
@@ -203,7 +204,7 @@ func WithConnectionString(connectionString string) Option {
 		info, err := dsn.Parse(connectionString)
 		if err != nil {
 			return xerrors.WithStackTrace(
-				fmt.Errorf("parse connection string '%s' failed: %w", connectionString, err),
+				fmt.Errorf("parse connection string '%s' failed: %w", secret.DSN(connectionString), err),
 			)
 		}
 		d.options = append(d.options, info.Options...)

diff --git a/sql.go b/sql.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 
 	"github.com/ydb-platform/ydb-go-sdk/v3/internal/bind"
+	"github.com/ydb-platform/ydb-go-sdk/v3/internal/secret"
 	"github.com/ydb-platform/ydb-go-sdk/v3/internal/tx"
 	"github.com/ydb-platform/ydb-go-sdk/v3/internal/xerrors"
 	"github.com/ydb-platform/ydb-go-sdk/v3/internal/xsql"
@@ -47,7 +48,10 @@ func (d *sqlDriver) Open(string) (driver.Conn, error) {
 func (d *sqlDriver) OpenConnector(dataSourceName string) (driver.Connector, error) {
 	db, err := Open(context.Background(), dataSourceName)
 	if err != nil {
-		return nil, xerrors.WithStackTrace(fmt.Errorf("failed to connect by data source name '%s': %w", dataSourceName, err))
+		return nil, xerrors.WithStackTrace(fmt.Errorf(
+			"failed to connect by data source name '%s': %w",
+			secret.DSN(dataSourceName), err,
+		))
 	}
 
 	c, err := Connector(db, append(db.databaseSQLOptions,