Back to Repositories

Testing JDBC URL Security Handling in HikariCP

This test suite validates the secure handling of JDBC connection URLs in HikariCP’s DriverDataSource implementation, focusing on password masking and sensitive information protection. The tests ensure that sensitive credentials are properly masked in error messages and logs.

Test Coverage Overview

The test suite provides comprehensive coverage of JDBC URL parsing and security handling.

Key areas tested include:

Various JDBC URL formats and patterns
Multiple password parameter variations (password, truststorePassword, sslpassword)
Different URL component combinations with sensitive data
Edge cases with special characters and URL fragments

Implementation Analysis

The testing approach employs JUnit to validate security-critical password masking functionality. The implementation uses a systematic pattern of testing multiple URL variations through parameterized test data, ensuring comprehensive coverage of different URL formats and password parameter combinations.

The tests specifically verify that sensitive information is properly masked while maintaining visibility of non-sensitive URL components.

Technical Details

Testing tools and configuration:

JUnit 4 testing framework
Assert methods for validation
Arrays.asList for test data organization
RuntimeException handling for error cases
Custom test helper methods for repeated validation

Best Practices Demonstrated

The test suite exemplifies several testing best practices:

Systematic testing of security-critical functionality
Comprehensive test data coverage
Clear separation of test cases
Explicit verification of both positive and negative conditions
Focused scope for each test assertion

brettwooldridge/hikaricp

src/test/java/com/zaxxer/hikari/util/DriverDataSourceTest.java

            
/*
 * Copyright (C) 2013, 2014 Brett Wooldridge
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
*/

package com.zaxxer.hikari.util;

import org.junit.Test;

import java.util.Arrays;
import java.util.List;
import java.util.Properties;

import static org.junit.Assert.*;

public class DriverDataSourceTest {

   @Test
   public void testJdbcUrlLogging() {
      List<String> urls = Arrays.asList(
         "jdbc:invalid://host/d_dlq?user=USER&password=SECRET",
         "jdbc:invalid://host/d_dlq?user=USER&truststorePassword=SECRET",
         "jdbc:invalid://host/d_dlq?a=b&password=SECRET&user=USER",
         "jdbc:invalid://host/d_dlq?a=b&sslpassword=SECRET&user=USER",
         "jdbc:invalid://host/d_dlq?a=b&sslpassword=SECRET&password=SECRET&user=USER",
         "jdbc:invalid://host/d_dlq?truststorePassword=SECRET;user=USER&password=SECRET#extra",
         "jdbc:invalid://host/d_dlq?sslpassword=SECRET&password=SECRET&trustPassword=SECRET&user=USER",
         "jdbc:invalid://host/d_dlq?password=SECRET#user=USER;extra"
      );

      for (String url : urls) {
         testExceptionMessage(url);
      }
   }

   private void testExceptionMessage(String jdbcUrl) {
      try {
         new DriverDataSource(jdbcUrl, null, new Properties(), null, null);
         fail();
      } catch (RuntimeException e) {
         String msg = e.getMessage();
         assertTrue(msg.contains("jdbc:invalid://host/d_dlq"));
         assertTrue(msg.contains("user=USER"));
         assertFalse("Exception message should not contain password", msg.contains("SECRET"));
      }

   }
}