From f1138770f23b37794579ef94c9b893b26ecb6762 Mon Sep 17 00:00:00 2001
From: Zsolt Parragi <zsolt.parragi@percona.com>
Date: Tue, 7 Apr 2026 17:48:10 +0000
Subject: [PATCH] libpq-oauth: Warn when PGOAUTHDEBUG trace may expose secrets

When PGOAUTHDEBUG includes the "trace" option (which requires the
UNSAFE: prefix), libcurl's verbose output is printed to stderr. This
trace includes the full HTTP request and response traffic, which can
contain bearer tokens, client secrets, and other sensitive material.

A user who enables trace debugging to troubleshoot a connection problem
may not realize that the output is unsafe to share publicly, especially
in bug reports or mailing list posts. Add two bracketing warnings to
make this explicit:

  1. At the start of the OAuth flow, immediately after parsing the
     debug flags, print a notice that trace logging is active and will
     include secrets.

  2. At the end of the flow (success or failure), print a reminder
     that the preceding trace output may contain secrets and should
     not be shared with third parties.

Together these ensure the sensitive trace output is clearly delimited
by warnings, regardless of how much or how little output curl produces
in between.
---
 src/interfaces/libpq-oauth/oauth-curl.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/interfaces/libpq-oauth/oauth-curl.c b/src/interfaces/libpq-oauth/oauth-curl.c
index abbef93f95f..063739fe2f5 100644
--- a/src/interfaces/libpq-oauth/oauth-curl.c
+++ b/src/interfaces/libpq-oauth/oauth-curl.c
@@ -3041,6 +3041,11 @@ pg_fe_run_oauth_flow(PGconn *conn, struct PGoauthBearerRequest *request,
 					actx->dbg_num_calls);
 	}
 
+	if ((actx->debug_flags & OAUTHDEBUG_UNSAFE_TRACE)
+		&& (result == PGRES_POLLING_OK || result == PGRES_POLLING_FAILED))
+		fprintf(stderr,
+				libpq_gettext("WARNING: PGOAUTHDEBUG trace output above may contain secrets. Do not share with third parties.\n"));
+
 #ifndef WIN32
 	if (masked)
 	{
@@ -3096,6 +3101,10 @@ pg_start_oauthbearer(PGconn *conn, PGoauthBearerRequestV2 *request)
 	/* Parse debug flags from the environment. */
 	actx->debug_flags = oauth_parse_debug_flags();
 
+	if (actx->debug_flags & OAUTHDEBUG_UNSAFE_TRACE)
+		fprintf(stderr,
+				libpq_gettext("WARNING: PGOAUTHDEBUG trace is enabled. HTTP traffic (including secrets) will be logged.\n"));
+
 	initPQExpBuffer(&actx->work_data);
 	initPQExpBuffer(&actx->errbuf);
 
-- 
2.43.0