Error messages are still outputting sensitive information

[robert-sjoblom]

Describe the Bug

#1161 was closed as fixed by #1162. We're still seeing sensitive information being logged, though:

failed to migrate database: failed to create new migrations: failed to open database: parse "pgx://user2:3M8s8!EQ48wh^cw%!E(bool=true)HEUApA9@<host>:<port>/db?sslmode=require&application_name=appname-859675d96c-p4sbc&statement_cache_mode=describe&x-lock-strategy=table&x-multi-statement=%!t(MISSING)": net/url: invalid userinfo

Steps to Reproduce

Our error stemmed from the fact that the user that migrated (user2) wasn't a member of a group (pgbouncer), and so the login was rejected at the pg_hba level. However, you get the same behavior when you're connecting to a database with the wrong password.

An amateur's guess is that this might be the reason/origin:
https://github.com/golang-migrate/migrate/blob/master/database/driver.go#L85C1-L100C1

Expected Behavior
No sensitive information is logged.

Migrate Version
v4.18.2

[dhui]

I think this is related to your other issue where the password doesn't have reserved URL characters escaped.
Specifically, this: parse "...": net/url: invalid userinfo