From 3e59e48eea69820789317341e3dbbf77bc8c93cc Mon Sep 17 00:00:00 2001 From: Shantel Peters Date: Mon, 23 Mar 2026 20:18:40 +0100 Subject: [PATCH] feat(security): implement database connection security measures - Added connection string masking in logs - Enforced SSL/TLS connection encryption - Enforced secure proxy pool limits --- src/common/logging/logging.config.ts | 11 +++++++++++ src/database/prisma/prisma.service.ts | 21 ++++++++++++++++++++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/src/common/logging/logging.config.ts b/src/common/logging/logging.config.ts index 70a89251..35dd5cff 100644 --- a/src/common/logging/logging.config.ts +++ b/src/common/logging/logging.config.ts @@ -20,6 +20,9 @@ const SENSITIVE_KEYS = [ 'creditcard', 'ssn', 'pin', + 'database_url', + 'db_url', + 'connection_string', ]; /** @@ -61,6 +64,14 @@ const redactFormat = () => { // Redact common sensitive fields const redactedInfo = { ...info }; + // Mask database credentials in string messages + if (typeof redactedInfo.message === 'string') { + redactedInfo.message = redactedInfo.message.replace( + /(postgres(?:ql)?|mysql):\/\/[^:]+:[^@]+@/g, + '$1://***:***@' + ); + } + // Redact nested data in 'meta' or 'data' fields if (redactedInfo.meta) { redactedInfo.meta = filterSensitiveData(redactedInfo.meta); diff --git a/src/database/prisma/prisma.service.ts b/src/database/prisma/prisma.service.ts index 3a1ca4ec..1d5e7616 100644 --- a/src/database/prisma/prisma.service.ts +++ b/src/database/prisma/prisma.service.ts @@ -20,7 +20,26 @@ export class PrismaService extends PrismaClient implements OnModuleInit, OnModul private readonly logger: StructuredLoggerService, ) { // Get the database URL from environment/config - const databaseUrl = configService.get('DATABASE_URL'); + let databaseUrl = configService.get('DATABASE_URL'); + + if (databaseUrl) { + // Enforce database connection encryption (SSL) + if (!databaseUrl.includes('sslmode=')) { + const separator = databaseUrl.includes('?') ? '&' : '?'; + databaseUrl += `${separator}sslmode=require`; + } + + // Enforce connection pooling security + if (!databaseUrl.includes('connection_limit=')) { + const separator = databaseUrl.includes('?') ? '&' : '?'; + databaseUrl += `${separator}connection_limit=5`; + } + + if (!databaseUrl.includes('pool_timeout=')) { + const separator = databaseUrl.includes('?') ? '&' : '?'; + databaseUrl += `${separator}pool_timeout=10`; + } + } // Prisma uses the connection URL to configure pooling // Example: postgresql://user:pass@host:5432/db?connection_limit=10&pool_timeout=30