Test environment override for secret and url with credentials

pkg/setting/setting.go

@@ -183,6 +183,11 @@ func shouldRedactKey(s string) bool {
 	return strings.Contains(uppercased, "PASSWORD") || strings.Contains(uppercased, "SECRET")
 }
 
+func shouldRedactURLKey(s string) bool {
+	uppercased := strings.ToUpper(s)
+	return strings.Contains(uppercased, "DATABASE_URL")
+}
+
 func applyEnvVariableOverrides() {
 	appliedEnvOverrides = make([]string, 0)
 	for _, section := range Cfg.Sections() {
@@ -197,6 +202,17 @@ func applyEnvVariableOverrides() {
 				if shouldRedactKey(envKey) {
 					envValue = "*********"
 				}
+				if shouldRedactURLKey(envKey) {
+					u, _ := url.Parse(envValue)
+					ui := u.User
+					if ui != nil {
+						_, exists := ui.Password()
+						if exists {
+							u.User = url.UserPassword(ui.Username(), "-redacted-")
+							envValue = u.String()
+						}
+					}
+				}
 				appliedEnvOverrides = append(appliedEnvOverrides, fmt.Sprintf("%s=%s", envKey, envValue))
 			}
 		}

pkg/setting/setting_test.go

@@ -29,6 +29,20 @@ func TestLoadingSettings(t *testing.T) {
 			So(LogsPath, ShouldEqual, filepath.Join(DataPath, "log"))
 		})
 
+		Convey("Should replace password when defined in environment", func() {
+			os.Setenv("GF_SECURITY_ADMIN_PASSWORD", "supersecret")
+			NewConfigContext(&CommandLineArgs{HomePath: "../../"})
+
+			So(appliedEnvOverrides, ShouldContain, "GF_SECURITY_ADMIN_PASSWORD=*********")
+		})
+
+		Convey("Should replace password in URL when url environment is defined", func() {
+			os.Setenv("GF_DATABASE_URL", "mysql://user:secret@localhost:3306/database")
+			NewConfigContext(&CommandLineArgs{HomePath: "../../"})
+
+			So(appliedEnvOverrides, ShouldContain, "GF_DATABASE_URL=mysql://user:-redacted-@localhost:3306/database")
+		})
+
 		Convey("Should get property map from command line args array", func() {
 			props := getCommandLineProperties([]string{"cfg:test=value", "cfg:map.test=1"})