Uploaded image for project: 'Go Driver'
  1. Go Driver
  2. GODRIVER-1086

Can leak creds through errors from URI Parsing

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Critical - P2 Critical - P2
    • 1.0.3
    • Affects Version/s: 1.0.2
    • Component/s: Error Handling
    • Labels:

      When a URI Parsing error is encountered the return is the URI (conn string) and the parse error. The error contains, in the message, the URI passed to the parse function. Downstream consumers of the driver do not necessarily have that implementation detail and may pass the error on further downstream. Since the URI may contain sensitive information (passwords) these errors may inadvertently leak credentials.

      https://github.com/mongodb/mongo-go-driver/blob/c2a43c080082db26ed2d6fb44026ce1d00a983a7/x/mongo/driver/connstring/connstring.go#L29

            Assignee:
            isabella.siu@mongodb.com Isabella Siu (Inactive)
            Reporter:
            scott.lhommedieu@mongodb.com Scott L'Hommedieu (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: