Slightly better

docker/test/stateless/run.sh

@@ -124,6 +124,11 @@ then
     export CONNECTION_PARAMETERS="--secure --user ci --host ${CLICKHOUSE_CI_LOGS_HOST} --password ${CLICKHOUSE_CI_LOGS_PASSWORD}"
 
     /repository/utils/export-logs-in-ci/setup.sh
+
+    # Unset variables after use
+    export CONNECTION_PARAMETERS=''
+    export CLICKHOUSE_CI_LOGS_HOST=''
+    export CLICKHOUSE_CI_LOGS_PASSWORD=''
 fi
 
 # TODO what is this? Remove it.

tests/ci/functional_test_check.py

@@ -384,6 +384,20 @@ def main():
 
     ch_helper = ClickHouseHelper()
 
+    # Cleanup run log from the credentials of CI logs database.
+    # Note: a malicious user can still print them by splitting the value into parts.
+    # But we will be warned when a malicious user modifies CI script.
+    # Although they can also print them from inside tests.
+    # Nevertheless, the credentials of the CI logs have limited scope
+    # and does not provide access to sensitive info.
+
+    ci_logs_host = os.getenv("CLICKHOUSE_CI_LOGS_HOST");
+    ci_logs_password = os.getenv("CLICKHOUSE_CI_LOGS_PASSWORD");
+    subprocess.check_call(
+        f"sed -i -r -e 's!{ci_logs_host}!CLICKHOUSE_CI_LOGS_HOST!g; s!{ci_logs_password}!CLICKHOUSE_CI_LOGS_PASSWORD!g;' '{run_log_path}'",
+        shell=True
+    )
+
     report_url = upload_results(
         s3_helper,
         pr_info.number,