Refs #32061 -- Added test for dbshell password leak on PostgreSQL.

2 files changed, 16 insertions, 0 deletions

diff --git a/tests/dbshell/fake_client.py b/tests/dbshell/fake_client.py
new file mode 100755
index 0000000000..70451f302a
--- /dev/null
+++ b/tests/dbshell/fake_client.py
@@ -0,0 +1,3 @@
+import sys
+
+sys.exit(1)
diff --git a/tests/dbshell/test_postgresql.py b/tests/dbshell/test_postgresql.py
index aad9692ecb..4d8804e43e 100644
--- a/tests/dbshell/test_postgresql.py
+++ b/tests/dbshell/test_postgresql.py
@@ -1,4 +1,7 @@
 import signal
+import subprocess
+import sys
+from pathlib import Path
 from unittest import mock, skipUnless
 
 from django.db import connection
@@ -113,3 +116,13 @@ class PostgreSqlDbshellCommandTestCase(SimpleTestCase):
             connection.client.runshell([])
         # dbshell restores the original handler.
         self.assertEqual(sigint_handler, signal.getsignal(signal.SIGINT))
+
+    def test_crash_password_does_not_leak(self):
+        # The password doesn't leak in an exception that results from a client
+        # crash.
+        args, env = self.settings_to_cmd_args_env({'PASSWORD': 'somepassword'}, [])
+        fake_client = Path(__file__).with_name('fake_client.py')
+        args[0:1] = [sys.executable, str(fake_client)]
+        with self.assertRaises(subprocess.CalledProcessError) as ctx:
+            subprocess.run(args, check=True, env=env)
+        self.assertNotIn('somepassword', str(ctx.exception))