Skip to content

--debug silently disables TLS on database connections (SetupPGX sets TLSConfig = nil), overriding sslmode=require and PGSSLMODE #5872

Description

@evanvolgas

Describe the bug

Passing --debug to any command that opens a database connection (db push, link, migration repair, ...) silently downgrades the connection to plaintext, even when the user has explicitly required TLS via --db-url "...?sslmode=require" and/or PGSSLMODE=require.

Mechanism (internal/debug/postgres.go, present in v2.101.0 through v2.109.1):

func SetupPGX(config *pgx.ConnConfig) {
	proxy := Proxy{
		dialContext: config.DialFunc,
		errChan:     make(chan error, 1),
	}
	config.DialFunc = proxy.DialFunc
	config.TLSConfig = nil
}

SetupPGX is appended as a config override in ConnectByUrl when DEBUG is set, so it runs after all sslmode resolution — the wire-logging proxy cannot read encrypted frames, so TLS is nulled unconditionally and silently.

Why this matters

  1. It's a silent security downgrade: a user who passes sslmode=require has stated that plaintext is unacceptable; --debug overrides that with no warning. Credentials are protected only because pg_hba/SCRAM sequencing happens to reject first on SSL-enforcing servers — against a server that accepts plaintext, the entire session (password and data) goes unencrypted.
  2. It sabotages the exact debugging it's meant to help: against Supabase projects with network restrictions enabled (which make the database hostssl-only), every --debug invocation fails with FATAL: no pg_hba.conf entry for host "...", user "postgres", database "postgres", no encryption — while the same command without --debug succeeds. Users debugging a connection problem add --debug and thereby create a new, misleading failure. This cost us a multi-hour production incident on 2026-07-13: our CI had run db push --debug for months; the day our project enabled network restrictions, every migration deploy failed with the pg_hba error above, and the downgrade being --debug-conditional made it exceptionally hard to reproduce outside CI.

To Reproduce

Against any Supabase project with database network restrictions enabled (allowlisted client IP):

$ supabase db push --db-url "postgresql://postgres:<pw>@db.<ref>.supabase.co:5432/postgres?sslmode=require" --dry-run
# → connects over TLS (wrong password reaches SCRAM: "password authentication failed")

$ supabase db push --db-url "postgresql://postgres:<pw>@db.<ref>.supabase.co:5432/postgres?sslmode=require" --dry-run --debug
# → FATAL: no pg_hba.conf entry for host "...", ..., no encryption

Expected behavior

Either (a) the debug proxy logs the pre-TLS traffic only (or uses tls.Config-level keylogging) without downgrading the connection, or (b) --debug refuses to run / prints a prominent warning when the resolved sslmode requires TLS, instead of silently overriding it.

Version

Reproduced on 2.101.0 and 2.109.1 (source inspected at both tags).

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions