[BugFix] insert files credential redaction (#71245)

Signed-off-by: srihithg <78094568+srihithg@users.noreply.github.com>
Made-with: Cursor

Author: srihithg

fe/fe-core/src/main/java/com/starrocks/common/util/SqlCredentialRedactor.java

@@ -15,14 +15,16 @@
 package com.starrocks.common.util;
 
 import com.google.common.collect.ImmutableSet;
+import com.google.re2j.Matcher;
+import com.google.re2j.Pattern;
 import com.starrocks.connector.share.credential.CloudConfigurationConstants;
 import com.starrocks.fs.hdfs.HdfsFsManager;
 import com.starrocks.sql.ast.CreateRoutineLoadStmt;
 import com.starrocks.sql.ast.LoadStmt;
 
+import java.util.HashSet;
+import java.util.Locale;
 import java.util.Set;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 /**
  * Utility class to redact sensitive credentials from SQL strings.
@@ -83,7 +85,16 @@ public class SqlCredentialRedactor {
             .add("broker.password")
             .build();
 
-    // Pattern to match key-value pairs in SQL
+    // Lowercase set for O(1) lookup (case-insensitive matching)
+    private static final Set<String> CREDENTIAL_KEYS_LOWERCASE = new HashSet<>();
+
+    static {
+        for (String key : CREDENTIAL_KEYS) {
+            CREDENTIAL_KEYS_LOWERCASE.add(key.toLowerCase(Locale.ROOT));
+        }
+    }
+
+    // Simplified pattern to match any key-value pair in SQL
     // This pattern handles cases like:
     // "key"="value"
     // 'key'='value'
@@ -97,13 +108,16 @@ public class SqlCredentialRedactor {
     // key'='value
     // key"="value
     // Values can contain spaces and span multiple lines, separated by commas
+    private static final int MAX_KEY_LENGTH =
+            CREDENTIAL_KEYS.stream().map(String::length).max(Integer::compareTo).orElse(1);
+    // NOTE: MAX_KEY_LENGTH is used to avoid matching too many characters of a long string
     private static final Pattern KEY_VALUE_PATTERN = Pattern.compile(
-            "(?:([\"']?)(" + String.join("|", CREDENTIAL_KEYS.stream()
-                    .map(Pattern::quote)
-                    .toArray(String[]::new)) + ")([\"']?))\\s*=\\s*" +
-            "(?:([\"'])((?:[^\\\\]|\\\\.)*?)\\4|([^,]*?))" +
-            "(?=\\s*,|\\s*$|\\s*\\)|\\s*\\n)",
-            Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE
+            "([\"'])" +                                    // quote
+                    "([^\"'=\\s,()]{1," + MAX_KEY_LENGTH + "})" + // key
+                    "([\"'])" +                                  // quote
+                    "\\s*=\\s*" +                                 // =
+                    "(?:'((?:[^'\\\\]|\\\\.)*)'|\"((?:[^\"\\\\]|\\\\.)*)\"|([^,()\\n]*))",
+            Pattern.DOTALL | Pattern.MULTILINE
     );
 
     private static final Pattern IDENTIFIED_BY_PATTERN = Pattern.compile(
@@ -130,6 +144,27 @@ public class SqlCredentialRedactor {
     private static final String REDACTED_VALUE = "***";
     private static final String LDAP_SIMPLE_AUTH_PLUGIN = "AUTHENTICATION_LDAP_SIMPLE";
 
+    /**
+     * Cheap check for whether {@link #redact(String)} might change the SQL. Used on hot paths (e.g. query profiles)
+     * to skip full redaction when the text has no credential-related markers.
+     */
+    public static boolean mayNeedCredentialRedaction(String sql) {
+        if (sql == null || sql.isEmpty()) {
+            return false;
+        }
+        String lower = sql.toLowerCase(Locale.ROOT);
+        for (String key : CREDENTIAL_KEYS_LOWERCASE) {
+            if (lower.indexOf(key) >= 0) {
+                return true;
+            }
+        }
+        // "password" is already in CREDENTIAL_KEYS_LOWERCASE, so "set password"
+        // (with any whitespace) is caught by the loop above. Only "identified"
+        // needs a separate check — a single keyword avoids false negatives from
+        // whitespace variations like IDENTIFIED\nBY or IDENTIFIED\tWITH.
+        return lower.contains("identified");
+    }
+
     /**
      * Redact sensitive credentials from SQL string.
      *
@@ -150,28 +185,39 @@ public static String redact(String sql) {
 
     private static String redactKeyValueCredentials(String sql) {
         Matcher matcher = KEY_VALUE_PATTERN.matcher(sql);
-        StringBuffer result = new StringBuffer();
+        StringBuilder result = new StringBuilder(sql.length() + 100);
 
+        int lastEnd = 0;
         while (matcher.find()) {
-            String replacement;
             String keyPrefix = matcher.group(1) != null ? matcher.group(1) : "";
             String key = matcher.group(2);
             String keySuffix = matcher.group(3) != null ? matcher.group(3) : "";
 
-            // Determine if value is quoted or unquoted
-            if (matcher.group(4) != null && matcher.group(5) != null) {
-                // Quoted value case
-                String valueQuote = matcher.group(4);
-                replacement = keyPrefix + key + keySuffix + " = " + valueQuote + REDACTED_VALUE + valueQuote;
+            // Check if this key should be redacted (case-insensitive)
+            if (CREDENTIAL_KEYS_LOWERCASE.contains(key.toLowerCase(Locale.ROOT))) {
+                // Append text before the match
+                result.append(sql, lastEnd, matcher.start());
+
+                // Build replacement for redacted value
+                String replacement;
+                if (matcher.group(4) != null && matcher.group(5) != null) {
+                    // Quoted value case
+                    String valueQuote = matcher.group(4);
+                    replacement = keyPrefix + key + keySuffix + " = " + valueQuote + REDACTED_VALUE + valueQuote;
+                } else {
+                    // Unquoted value case
+                    replacement = keyPrefix + key + keySuffix + " = " + REDACTED_VALUE;
+                }
+                result.append(replacement);
             } else {
-                // Unquoted value case
-                replacement = keyPrefix + key + keySuffix + " = " + REDACTED_VALUE;
+                // Not a credential key, append original match
+                result.append(sql, lastEnd, matcher.end());
             }
-
-            matcher.appendReplacement(result, Matcher.quoteReplacement(replacement));
+            lastEnd = matcher.end();
         }
 
-        matcher.appendTail(result);
+        // Append remaining text
+        result.append(sql, lastEnd, sql.length());
         return result.toString();
     }
 

fe/fe-core/src/main/java/com/starrocks/qe/StmtExecutor.java

@@ -34,6 +34,7 @@
 
 package com.starrocks.qe;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
@@ -387,9 +388,16 @@ private RuntimeProfile buildTopLevelProfile() {
                 AstToSQLBuilder.toSQLOrDefault(parsedStmt, originStmt.originStmt);
         if (AuditEncryptionChecker.needEncrypt(parsedStmt)) {
             summaryProfile.addInfoString(ProfileManager.SQL_STATEMENT,
-                    AstToSQLBuilder.toSQLOrDefault(parsedStmt, originStmt.originStmt));
+                    SqlCredentialRedactor.redact(AstToSQLBuilder.toSQLOrDefault(parsedStmt, originStmt.originStmt)));
+        } else if (Config.enable_sql_desensitize_in_log) {
+            String desensitizedSql = AstToSQLBuilder.toSQL(parsedStmt, FormatOptions.allEnable()
+                            .setColumnSimplifyTableName(false)
+                            .setEnableDigest(true))
+                    .orElse("this is a desensitized sql");
+            summaryProfile.addInfoString(ProfileManager.SQL_STATEMENT,
+                    SqlCredentialRedactor.redact(desensitizedSql));
         } else {
-            summaryProfile.addInfoString(ProfileManager.SQL_STATEMENT, sql);
+            summaryProfile.addInfoString(ProfileManager.SQL_STATEMENT, SqlCredentialRedactor.redact(sql));
         }
 
         // Add some import variables in profile
@@ -659,7 +667,7 @@ private ExecPlan generateExecPlan() throws Exception {
             if (e.getType().equals(ErrorType.USER_ERROR)) {
                 throw e;
             } else {
-                LOG.warn("Planner error: " + originStmt.originStmt, e);
+                LOG.warn("Planner error: {}", getRedactedOriginStmtInString(), e);
                 throw e;
             }
         } catch (Exception e) {
@@ -743,14 +751,29 @@ public void execute() throws Exception {
                     execPlan = generateExecPlan();
                 } catch (Exception e) {
                     LOG.warn("Generate exec plan failed for explain stmt: {}",
-                            parsedStmt.getOrigStmt().originStmt, e);
+                            getRedactedOriginStmtInString(), e);
                 }
                 handleExplainExecPlan(execPlan);
                 return;
             }
 
-            // execPlan is the output of planner
-            ExecPlan execPlan = generateExecPlan();
+            // Register as a planning query so it is visible in current_queries during optimization.
+            // The planning entry is removed before handleQueryStmt/handleDMLStmt re-registers
+            // with the real Coordinator, avoiding AlreadyExistsException from putIfAbsent.
+            ExecPlan execPlan;
+            context.setPlanning(true);
+            try {
+                QeProcessorImpl.INSTANCE.registerQuery(context.getExecutionId(),
+                        QeProcessorImpl.QueryInfo.fromPlanningQuery(context, getRedactedOriginStmtInString()));
+            } catch (Exception e) {
+                LOG.warn("Failed to register planning query: {}", DebugUtil.printId(context.getExecutionId()), e);
+            }
+            try {
+                execPlan = generateExecPlan();
+            } finally {
+                context.setPlanning(false);
+                QeProcessorImpl.INSTANCE.unregisterQuery(context.getExecutionId());
+            }
 
             // no need to execute http query dump request in BE
             if (context.isHTTPQueryDump) {
@@ -821,7 +844,7 @@ public void execute() throws Exception {
                                 originStmt = this.originStmt.originStmt;
                             }
                             needRetry = true;
-                            LOG.warn("retry {} times. stmt: {}", (i + 1), originStmt);
+                            LOG.warn("retry {} times. stmt: {}", (i + 1), SqlCredentialRedactor.redact(originStmt));
                         } else {
                             throw e;
                         }
@@ -954,7 +977,7 @@ public void execute() throws Exception {
             String sql = originStmt != null ? originStmt.originStmt : "";
             String truncatedSql = sql.length() > 200 ? sql.substring(0, 200) + "..." : sql;
             LOG.error("LargeInPredicate optimization failed, sql: {}, error: {}. Will retry with" +
-                    " enable_large_in_predicate=false.", truncatedSql, e.getMessage());
+                    " enable_large_in_predicate=false.", SqlCredentialRedactor.redact(truncatedSql), e.getMessage());
             throw e;
         } catch (StarRocksException e) {
             String sql = originStmt != null ? originStmt.originStmt : "";
@@ -1006,7 +1029,8 @@ public void execute() throws Exception {
             context.setSessionVariable(sessionVariableBackup);
 
             if (shouldMarkIdleCheck && originWarehouseId != null) {
-                WarehouseIdleChecker.decreaseRunningSQL(originWarehouseId);
+                WarehouseIdleChecker.decreaseRunningSQL(originWarehouseId,
+                        getRedactedOriginStmtInString());
             }
 
             recordExecStatsIntoContext();
@@ -1520,7 +1544,7 @@ private void handleQueryStmt(ExecPlan execPlan) throws Exception {
         }
 
         QeProcessorImpl.INSTANCE.registerQuery(context.getExecutionId(),
-                new QeProcessorImpl.QueryInfo(context, originStmt.originStmt, coord));
+                new QeProcessorImpl.QueryInfo(context, getRedactedOriginStmtInString(), coord));
 
         if (isSchedulerExplain) {
             coord.execWithoutDeploy();
@@ -2316,7 +2340,7 @@ private void handleDdlStmt() throws DdlException {
                 if (sql == null) {
                     sql = originStmt.originStmt;
                 }
-                LOG.warn("DDL statement (" + sql + ") process failed.", e);
+                LOG.warn("DDL statement ({}) process failed.", SqlCredentialRedactor.redact(sql), e);
             }
             context.setState(e.getQueryState());
         } catch (DdlException | AlterJobException e) {
@@ -2329,7 +2353,7 @@ private void handleDdlStmt() throws DdlException {
             if (sql == null || sql.isEmpty()) {
                 sql = originStmt.originStmt;
             }
-            LOG.warn("DDL statement (" + sql + ") process failed.", e);
+            LOG.warn("DDL statement ({}) process failed.", SqlCredentialRedactor.redact(sql), e);
             context.getState().setError(e.getMessage());
         }
     }
@@ -2535,7 +2559,7 @@ public void handleDMLStmtWithProfile(ExecPlan execPlan, DmlStmt stmt) throws Exc
         try {
             handleDMLStmt(execPlan, stmt);
         } catch (Throwable t) {
-            LOG.warn("DML statement({}) process failed.", originStmt.originStmt, t);
+            LOG.warn("DML statement({}) process failed.", getRedactedOriginStmtInString(), t);
             throw t;
         } finally {
             boolean isAsync = false;
@@ -2589,7 +2613,7 @@ public void handleDMLStmt(ExecPlan execPlan, DmlStmt stmt) throws Exception {
                 context.getState().setOk();
             } catch (QueryStateException e) {
                 if (e.getQueryState().getStateType() != MysqlStateType.OK) {
-                    LOG.warn("DDL statement(" + originStmt.originStmt + ") process failed.", e);
+                    LOG.warn("DDL statement({}) process failed.", getRedactedOriginStmtInString(), e);
                 }
                 context.setState(e.getQueryState());
             }
@@ -2713,8 +2737,8 @@ public void handleDMLStmt(ExecPlan execPlan, DmlStmt stmt) throws Exception {
 
             coord.setLoadJobId(jobId);
             trackingSql = "select tracking_log from information_schema.load_tracking_logs where job_id=" + jobId;
-
-            QeProcessorImpl.QueryInfo queryInfo = new QeProcessorImpl.QueryInfo(context, originStmt.originStmt, coord);
+            QeProcessorImpl.QueryInfo queryInfo =
+                    new QeProcessorImpl.QueryInfo(context, getRedactedOriginStmtInString(), coord);
             QeProcessorImpl.INSTANCE.registerQuery(context.getExecutionId(), queryInfo);
 
             if (isSchedulerExplain) {
@@ -2743,7 +2767,7 @@ public void handleDMLStmt(ExecPlan execPlan, DmlStmt stmt) throws Exception {
                     if (Config.log_plan_cancelled_by_crash_be && context.getQueryDetail() == null) {
                         LOG.warn("Query cancelled by crash of backends [QueryId={}] [SQL={}] [Plan={}]",
                                 DebugUtil.printId(context.getExecutionId()),
-                                originStmt == null ? "" : originStmt.originStmt,
+                                getRedactedOriginStmtInString(),
                                 execPlan.getExplainString(TExplainLevel.COSTS));
                     }
 
@@ -2954,10 +2978,7 @@ public void handleDMLStmt(ExecPlan execPlan, DmlStmt stmt) throws Exception {
             }
         } catch (Throwable t) {
             // if any throwable being thrown during insert operation, first we should abort this txn
-            String failedSql = "";
-            if (originStmt != null && originStmt.originStmt != null) {
-                failedSql = originStmt.originStmt;
-            }
+            String failedSql = getRedactedOriginStmtInString();
             LOG.warn("failed to handle stmt [{}] label: {}", failedSql, label, t);
             String errMsg = t.getMessage();
             if (errMsg == null) {
@@ -3077,6 +3098,15 @@ public String getOriginStmtInString() {
         return originStmt.originStmt;
     }
 
+    @VisibleForTesting
+    String getRedactedOriginStmtInString() {
+        String sql = getOriginStmtInString();
+        if (!SqlCredentialRedactor.mayNeedCredentialRedaction(sql)) {
+            return sql;
+        }
+        return SqlCredentialRedactor.redact(sql);
+    }
+
     public Pair<List<TResultBatch>, Status> executeStmtWithExecPlan(ConnectContext context, ExecPlan plan) {
         List<TResultBatch> sqlResult = Lists.newArrayList();
         try {
@@ -3195,11 +3225,17 @@ public void addRunningQueryDetail(StatementBase parsedStmt) {
         }
 
         try {
-            String sql;
-            if (AuditEncryptionChecker.needEncrypt(parsedStmt)) {
-                sql = AstToSQLBuilder.toSQLOrDefault(parsedStmt, parsedStmt.getOrigStmt().originStmt);
-            } else {
-                sql = parsedStmt.getOrigStmt().originStmt;
+            String originSql = getQueryDetailSql(parsedStmt);
+            boolean needEncrypt = AuditEncryptionChecker.needEncrypt(parsedStmt);
+            String sql = originSql;
+            if (needEncrypt || Config.enable_sql_desensitize_in_log) {
+                sql = AstToSQLBuilder.toSQL(parsedStmt, FormatOptions.allEnable()
+                                .setColumnSimplifyTableName(false)
+                                .setHideCredential(needEncrypt)
+                                .setEnableDigest(Config.enable_sql_desensitize_in_log))
+                        .orElse("this is a desensitized sql");
+            } else if (SqlCredentialRedactor.mayNeedCredentialRedaction(originSql)) {
+                sql = SqlCredentialRedactor.redact(originSql);
             }
 
             boolean isQuery = context.isQueryStmt(parsedStmt);