Security advisory: Sensitive Data Exposure via `services.prometheus.exporters.pgbouncer`

Summary

It’s possible to define the connection string for the pgbouncer instance
via the option services.prometheus.exporters.pgbouncer.connectionStringFile.

The option is supposed to point to a file that will be read with a cat and the
contents will be added to the cmdline of the exporter.

Hence, the connection string - that may contain sensitive information such as the
DB password - is leaked into the cmdline and effectively world-readable.

Am I affected

You are affected if

• You use the pgbouncer exporter (services.prometheus.exporters.pgbouncer.enable = true;)
• You use the option services.prometheus.exporters.pgbouncer.connectionStringFile and the
  file contains sensitive information such as a DB password.

Patches

The issue got fixed by

• 24.05: #340868 (see Nixpkgs PR #340868 ("[24.05] prometheus-pgbouncer-exporter: 0.8.0 -> 0.9.0, fix secrets handling") progress)
• master: #340852 (see Nixpkgs PR #340852 ("prometheus-pgbouncer-exporter: 0.8.0 -> 0.9.0, fix secrets handling") progress)

Remediation

Remediating the issue is done by:

• Update the NixOS channels

• Create an environment file with the contents

  PGBOUNCER_EXPORTER_CONNECTION_STRING=<your connection string for pgbouncer>
  

• Replace services.prometheus.exporters.pgbouncer.connectionStringFile
  with services.prometheus.exporters.pgbouncer.connectionEnvFile.

• Switch to the new configuration.

Unrelated to the issue at hand, just wanted to say thanks for the effort here - the format of these advisories has improved so much, they’re very clear, easy to understand and actionable downstream.