From b2bef49aba485516a91c30b187a47dd845b1cee7 Mon Sep 17 00:00:00 2001 From: x032205 Date: Wed, 8 Oct 2025 14:29:19 -0400 Subject: [PATCH 1/5] parse out sslmode from connectionUri under certain conditions --- backend/src/db/instance.ts | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/backend/src/db/instance.ts b/backend/src/db/instance.ts index b1ecf7d659..ab71c9335d 100644 --- a/backend/src/db/instance.ts +++ b/backend/src/db/instance.ts @@ -32,10 +32,27 @@ export const initDbConnection = ({ return selectedReplica; }); + // Parse out ?sslmode=... from the connection URI if its not equal to "disable" and dbRootCert is defined + let modifiedDbConnectionUri = dbConnectionUri; + if (dbRootCert) { + const parts = dbConnectionUri.split("?"); + const baseUrl = parts[0]; + const queryString = parts.length > 1 ? parts[1] : ""; + + if (queryString) { + const params = new URLSearchParams(queryString); + if (params.has("sslmode") && params.get("sslmode") !== "disable") { + params.delete("sslmode"); + const newQueryString = params.toString(); + modifiedDbConnectionUri = baseUrl + (newQueryString ? `?${newQueryString}` : ""); + } + } + } + db = knex({ client: "pg", connection: { - connectionString: dbConnectionUri, + connectionString: modifiedDbConnectionUri, host: process.env.DB_HOST, // @ts-expect-error I have no clue why only for the port there is a type error // eslint-disable-next-line From d17c102bccaa464a717f0716ca011ab1918ec4f4 Mon Sep 17 00:00:00 2001 From: x032205 Date: Wed, 8 Oct 2025 14:39:28 -0400 Subject: [PATCH 2/5] improve parsing --- backend/src/db/instance.ts | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/backend/src/db/instance.ts b/backend/src/db/instance.ts index ab71c9335d..5b5aa9beec 100644 --- a/backend/src/db/instance.ts +++ b/backend/src/db/instance.ts @@ -35,17 +35,10 @@ export const initDbConnection = ({ // Parse out ?sslmode=... from the connection URI if its not equal to "disable" and dbRootCert is defined let modifiedDbConnectionUri = dbConnectionUri; if (dbRootCert) { - const parts = dbConnectionUri.split("?"); - const baseUrl = parts[0]; - const queryString = parts.length > 1 ? parts[1] : ""; - - if (queryString) { - const params = new URLSearchParams(queryString); - if (params.has("sslmode") && params.get("sslmode") !== "disable") { - params.delete("sslmode"); - const newQueryString = params.toString(); - modifiedDbConnectionUri = baseUrl + (newQueryString ? `?${newQueryString}` : ""); - } + const url = new URL(dbConnectionUri); + if (url.searchParams.has("sslmode") && url.searchParams.get("sslmode") !== "disable") { + url.searchParams.delete("sslmode"); + modifiedDbConnectionUri = url.toString(); } } @@ -76,10 +69,21 @@ export const initDbConnection = ({ readReplicaDbs = readReplicas.map((el) => { const replicaDbCertificate = el.dbRootCert || dbRootCert; + + // Parse out ?sslmode=... from the connection URI if its not equal to "disable" and dbRootCert is defined + let modifiedReadReplicaDbConnectionUri = el.dbConnectionUri; + if (replicaDbCertificate) { + const url = new URL(el.dbConnectionUri); + if (url.searchParams.has("sslmode") && url.searchParams.get("sslmode") !== "disable") { + url.searchParams.delete("sslmode"); + modifiedReadReplicaDbConnectionUri = url.toString(); + } + } + return knex({ client: "pg", connection: { - connectionString: el.dbConnectionUri, + connectionString: modifiedReadReplicaDbConnectionUri, ssl: replicaDbCertificate ? { rejectUnauthorized: true, From 86fb8a665d6014512a5ed3f4475c49b9c9eb5193 Mon Sep 17 00:00:00 2001 From: x032205 Date: Wed, 8 Oct 2025 14:44:42 -0400 Subject: [PATCH 3/5] add sslmode parsing to audit log db --- backend/src/db/instance.ts | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/backend/src/db/instance.ts b/backend/src/db/instance.ts index 5b5aa9beec..9df1cc0cbf 100644 --- a/backend/src/db/instance.ts +++ b/backend/src/db/instance.ts @@ -108,13 +108,23 @@ export const initAuditLogDbConnection = ({ dbConnectionUri: string; dbRootCert?: string; }) => { + // Parse out ?sslmode=... from the connection URI if its not equal to "disable" and dbRootCert is defined + let modifiedDbConnectionUri = dbConnectionUri; + if (dbRootCert) { + const url = new URL(dbConnectionUri); + if (url.searchParams.has("sslmode") && url.searchParams.get("sslmode") !== "disable") { + url.searchParams.delete("sslmode"); + modifiedDbConnectionUri = url.toString(); + } + } + // akhilmhdh: the default Knex is knex.Knex. but when assigned with knex({}) the value is knex.Knex // this was causing issue with files like `snapshot-dal` `findRecursivelySnapshots` this i am explicitly putting the any and unknown[] // eslint-disable-next-line const db: Knex = knex({ client: "pg", connection: { - connectionString: dbConnectionUri, + connectionString: modifiedDbConnectionUri, host: process.env.AUDIT_LOGS_DB_HOST, // @ts-expect-error I have no clue why only for the port there is a type error // eslint-disable-next-line From bb274c2d08c0e240f4f435659dacff129e69235d Mon Sep 17 00:00:00 2001 From: x032205 Date: Thu, 9 Oct 2025 00:47:04 -0400 Subject: [PATCH 4/5] only parse out sslmode if it's equal to verify-ca, verify-full, or require --- backend/src/db/instance.ts | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/backend/src/db/instance.ts b/backend/src/db/instance.ts index 9df1cc0cbf..c8a6ce1d4e 100644 --- a/backend/src/db/instance.ts +++ b/backend/src/db/instance.ts @@ -32,11 +32,12 @@ export const initDbConnection = ({ return selectedReplica; }); - // Parse out ?sslmode=... from the connection URI if its not equal to "disable" and dbRootCert is defined + // Parse out ?sslmode=... from the connection URI if its equal to "verify-ca", "verify-full", or "require" and dbRootCert is defined let modifiedDbConnectionUri = dbConnectionUri; if (dbRootCert) { const url = new URL(dbConnectionUri); - if (url.searchParams.has("sslmode") && url.searchParams.get("sslmode") !== "disable") { + const sslMode = url.searchParams.get("sslmode"); + if (url.searchParams.has("sslmode") && sslMode && ["verify-ca", "verify-full", "require"].includes(sslMode)) { url.searchParams.delete("sslmode"); modifiedDbConnectionUri = url.toString(); } @@ -70,11 +71,12 @@ export const initDbConnection = ({ readReplicaDbs = readReplicas.map((el) => { const replicaDbCertificate = el.dbRootCert || dbRootCert; - // Parse out ?sslmode=... from the connection URI if its not equal to "disable" and dbRootCert is defined + // Parse out ?sslmode=... from the connection URI if its equal to "verify-ca", "verify-full", or "require" and dbRootCert is defined let modifiedReadReplicaDbConnectionUri = el.dbConnectionUri; if (replicaDbCertificate) { const url = new URL(el.dbConnectionUri); - if (url.searchParams.has("sslmode") && url.searchParams.get("sslmode") !== "disable") { + const sslMode = url.searchParams.get("sslmode"); + if (url.searchParams.has("sslmode") && sslMode && ["verify-ca", "verify-full", "require"].includes(sslMode)) { url.searchParams.delete("sslmode"); modifiedReadReplicaDbConnectionUri = url.toString(); } @@ -108,11 +110,12 @@ export const initAuditLogDbConnection = ({ dbConnectionUri: string; dbRootCert?: string; }) => { - // Parse out ?sslmode=... from the connection URI if its not equal to "disable" and dbRootCert is defined + // Parse out ?sslmode=... from the connection URI if its equal to "verify-ca", "verify-full", or "require" and dbRootCert is defined let modifiedDbConnectionUri = dbConnectionUri; if (dbRootCert) { const url = new URL(dbConnectionUri); - if (url.searchParams.has("sslmode") && url.searchParams.get("sslmode") !== "disable") { + const sslMode = url.searchParams.get("sslmode"); + if (url.searchParams.has("sslmode") && sslMode && ["verify-ca", "verify-full", "require"].includes(sslMode)) { url.searchParams.delete("sslmode"); modifiedDbConnectionUri = url.toString(); } From c61a1293e35c90ff595796a17c863d7165a60e74 Mon Sep 17 00:00:00 2001 From: x032205 Date: Thu, 9 Oct 2025 00:59:25 -0400 Subject: [PATCH 5/5] improve sslmode parsing for full coverage + some other small tweaks --- backend/src/db/instance.ts | 90 ++++++++++++++------------------------ 1 file changed, 34 insertions(+), 56 deletions(-) diff --git a/backend/src/db/instance.ts b/backend/src/db/instance.ts index c8a6ce1d4e..112def0b3d 100644 --- a/backend/src/db/instance.ts +++ b/backend/src/db/instance.ts @@ -1,5 +1,27 @@ import knex, { Knex } from "knex"; +const parseSslConfig = (dbConnectionUri: string, dbRootCert?: string) => { + let modifiedDbConnectionUri = dbConnectionUri; + let sslConfig: { rejectUnauthorized: boolean; ca: string } | boolean = false; + + if (dbRootCert) { + const url = new URL(dbConnectionUri); + const sslMode = url.searchParams.get("sslmode"); + + if (sslMode && sslMode !== "disable") { + url.searchParams.delete("sslmode"); + modifiedDbConnectionUri = url.toString(); + + sslConfig = { + rejectUnauthorized: ["verify-ca", "verify-full"].includes(sslMode), + ca: Buffer.from(dbRootCert, "base64").toString("ascii") + }; + } + } + + return { modifiedDbConnectionUri, sslConfig }; +}; + export type TDbClient = Knex; export const initDbConnection = ({ dbConnectionUri, @@ -32,34 +54,18 @@ export const initDbConnection = ({ return selectedReplica; }); - // Parse out ?sslmode=... from the connection URI if its equal to "verify-ca", "verify-full", or "require" and dbRootCert is defined - let modifiedDbConnectionUri = dbConnectionUri; - if (dbRootCert) { - const url = new URL(dbConnectionUri); - const sslMode = url.searchParams.get("sslmode"); - if (url.searchParams.has("sslmode") && sslMode && ["verify-ca", "verify-full", "require"].includes(sslMode)) { - url.searchParams.delete("sslmode"); - modifiedDbConnectionUri = url.toString(); - } - } + const { modifiedDbConnectionUri, sslConfig } = parseSslConfig(dbConnectionUri, dbRootCert); db = knex({ client: "pg", connection: { connectionString: modifiedDbConnectionUri, host: process.env.DB_HOST, - // @ts-expect-error I have no clue why only for the port there is a type error - // eslint-disable-next-line - port: process.env.DB_PORT, + port: process.env.DB_PORT ? parseInt(process.env.DB_PORT, 10) : undefined, user: process.env.DB_USER, database: process.env.DB_NAME, password: process.env.DB_PASSWORD, - ssl: dbRootCert - ? { - rejectUnauthorized: true, - ca: Buffer.from(dbRootCert, "base64").toString("ascii") - } - : false + ssl: sslConfig }, // https://knexjs.org/guide/#pool pool: { min: 0, max: 10 }, @@ -70,28 +76,16 @@ export const initDbConnection = ({ readReplicaDbs = readReplicas.map((el) => { const replicaDbCertificate = el.dbRootCert || dbRootCert; - - // Parse out ?sslmode=... from the connection URI if its equal to "verify-ca", "verify-full", or "require" and dbRootCert is defined - let modifiedReadReplicaDbConnectionUri = el.dbConnectionUri; - if (replicaDbCertificate) { - const url = new URL(el.dbConnectionUri); - const sslMode = url.searchParams.get("sslmode"); - if (url.searchParams.has("sslmode") && sslMode && ["verify-ca", "verify-full", "require"].includes(sslMode)) { - url.searchParams.delete("sslmode"); - modifiedReadReplicaDbConnectionUri = url.toString(); - } - } + const { modifiedDbConnectionUri: replicaUri, sslConfig: replicaSslConfig } = parseSslConfig( + el.dbConnectionUri, + replicaDbCertificate + ); return knex({ client: "pg", connection: { - connectionString: modifiedReadReplicaDbConnectionUri, - ssl: replicaDbCertificate - ? { - rejectUnauthorized: true, - ca: Buffer.from(replicaDbCertificate, "base64").toString("ascii") - } - : false + connectionString: replicaUri, + ssl: replicaSslConfig }, migrations: { tableName: "infisical_migrations" @@ -110,16 +104,7 @@ export const initAuditLogDbConnection = ({ dbConnectionUri: string; dbRootCert?: string; }) => { - // Parse out ?sslmode=... from the connection URI if its equal to "verify-ca", "verify-full", or "require" and dbRootCert is defined - let modifiedDbConnectionUri = dbConnectionUri; - if (dbRootCert) { - const url = new URL(dbConnectionUri); - const sslMode = url.searchParams.get("sslmode"); - if (url.searchParams.has("sslmode") && sslMode && ["verify-ca", "verify-full", "require"].includes(sslMode)) { - url.searchParams.delete("sslmode"); - modifiedDbConnectionUri = url.toString(); - } - } + const { modifiedDbConnectionUri, sslConfig } = parseSslConfig(dbConnectionUri, dbRootCert); // akhilmhdh: the default Knex is knex.Knex. but when assigned with knex({}) the value is knex.Knex // this was causing issue with files like `snapshot-dal` `findRecursivelySnapshots` this i am explicitly putting the any and unknown[] @@ -129,18 +114,11 @@ export const initAuditLogDbConnection = ({ connection: { connectionString: modifiedDbConnectionUri, host: process.env.AUDIT_LOGS_DB_HOST, - // @ts-expect-error I have no clue why only for the port there is a type error - // eslint-disable-next-line - port: process.env.AUDIT_LOGS_DB_PORT, + port: process.env.AUDIT_LOGS_DB_PORT ? parseInt(process.env.AUDIT_LOGS_DB_PORT, 10) : undefined, user: process.env.AUDIT_LOGS_DB_USER, database: process.env.AUDIT_LOGS_DB_NAME, password: process.env.AUDIT_LOGS_DB_PASSWORD, - ssl: dbRootCert - ? { - rejectUnauthorized: true, - ca: Buffer.from(dbRootCert, "base64").toString("ascii") - } - : false + ssl: sslConfig }, migrations: { tableName: "infisical_migrations"