Describe the bug
Passing --debug to any command that opens a database connection (db push, link, migration repair, ...) silently downgrades the connection to plaintext, even when the user has explicitly required TLS via --db-url "...?sslmode=require" and/or PGSSLMODE=require.
Mechanism (internal/debug/postgres.go, present in v2.101.0 through v2.109.1):
func SetupPGX(config *pgx.ConnConfig) {
proxy := Proxy{
dialContext: config.DialFunc,
errChan: make(chan error, 1),
}
config.DialFunc = proxy.DialFunc
config.TLSConfig = nil
}
SetupPGX is appended as a config override in ConnectByUrl when DEBUG is set, so it runs after all sslmode resolution — the wire-logging proxy cannot read encrypted frames, so TLS is nulled unconditionally and silently.
Why this matters
- It's a silent security downgrade: a user who passes
sslmode=require has stated that plaintext is unacceptable; --debug overrides that with no warning. Credentials are protected only because pg_hba/SCRAM sequencing happens to reject first on SSL-enforcing servers — against a server that accepts plaintext, the entire session (password and data) goes unencrypted.
- It sabotages the exact debugging it's meant to help: against Supabase projects with network restrictions enabled (which make the database
hostssl-only), every --debug invocation fails with FATAL: no pg_hba.conf entry for host "...", user "postgres", database "postgres", no encryption — while the same command without --debug succeeds. Users debugging a connection problem add --debug and thereby create a new, misleading failure. This cost us a multi-hour production incident on 2026-07-13: our CI had run db push --debug for months; the day our project enabled network restrictions, every migration deploy failed with the pg_hba error above, and the downgrade being --debug-conditional made it exceptionally hard to reproduce outside CI.
To Reproduce
Against any Supabase project with database network restrictions enabled (allowlisted client IP):
$ supabase db push --db-url "postgresql://postgres:<pw>@db.<ref>.supabase.co:5432/postgres?sslmode=require" --dry-run
# → connects over TLS (wrong password reaches SCRAM: "password authentication failed")
$ supabase db push --db-url "postgresql://postgres:<pw>@db.<ref>.supabase.co:5432/postgres?sslmode=require" --dry-run --debug
# → FATAL: no pg_hba.conf entry for host "...", ..., no encryption
Expected behavior
Either (a) the debug proxy logs the pre-TLS traffic only (or uses tls.Config-level keylogging) without downgrading the connection, or (b) --debug refuses to run / prints a prominent warning when the resolved sslmode requires TLS, instead of silently overriding it.
Version
Reproduced on 2.101.0 and 2.109.1 (source inspected at both tags).
Describe the bug
Passing
--debugto any command that opens a database connection (db push,link,migration repair, ...) silently downgrades the connection to plaintext, even when the user has explicitly required TLS via--db-url "...?sslmode=require"and/orPGSSLMODE=require.Mechanism (
internal/debug/postgres.go, present in v2.101.0 through v2.109.1):SetupPGXis appended as a config override inConnectByUrlwhenDEBUGis set, so it runs after all sslmode resolution — the wire-logging proxy cannot read encrypted frames, so TLS is nulled unconditionally and silently.Why this matters
sslmode=requirehas stated that plaintext is unacceptable;--debugoverrides that with no warning. Credentials are protected only because pg_hba/SCRAM sequencing happens to reject first on SSL-enforcing servers — against a server that accepts plaintext, the entire session (password and data) goes unencrypted.hostssl-only), every--debuginvocation fails withFATAL: no pg_hba.conf entry for host "...", user "postgres", database "postgres", no encryption— while the same command without--debugsucceeds. Users debugging a connection problem add--debugand thereby create a new, misleading failure. This cost us a multi-hour production incident on 2026-07-13: our CI had rundb push --debugfor months; the day our project enabled network restrictions, every migration deploy failed with the pg_hba error above, and the downgrade being--debug-conditional made it exceptionally hard to reproduce outside CI.To Reproduce
Against any Supabase project with database network restrictions enabled (allowlisted client IP):
Expected behavior
Either (a) the debug proxy logs the pre-TLS traffic only (or uses
tls.Config-level keylogging) without downgrading the connection, or (b)--debugrefuses to run / prints a prominent warning when the resolved sslmode requires TLS, instead of silently overriding it.Version
Reproduced on 2.101.0 and 2.109.1 (source inspected at both tags).