-
Type: Bug
-
Resolution: Gone away
-
Priority: Major - P3
-
None
-
Affects Version/s: 1.11.7
-
Component/s: None
-
None
-
Go Drivers
Detailed steps to reproduce the problem?
When we accidentally had a bad character in a connection string, the parser failed (yay!) but logged the full connection string (not yay!). The username and password were included. This should be secure information. Once it was in our logs... not so secret anymore.
_I was trying to follow the description in https://jira.mongodb.org/browse/GODRIVER-3092_
I'm not sure if this is a viable fix for us, without testing it first. I don't even see the part of the parser that returns the error code I see reported.
Here are the steps, though.
1. Set the conn string uri to "mongodb+srv://username:password@myatlas-0.xxxnnn.mongodb.net/collection\n"
2. call connString, err := connstring.Parse(uri)
3. Find logged error:
error: parse "mongodb+srv://username:password@myatlas-0.xxxnnn.mongodb.net/collection\n": net/url: invalid control character in URL
level: error
Definition of done: what must be done to consider the task complete?
Please don't log connection credentials in error strings
The exact Go version used, with patch level:
$ go version
1.20
The exact version of the Go driver used:
$ go list -m go.mongodb.org/mongo-driver
1.11.7
Describe how MongoDB is set up. Local vs Hosted, version, topology, load balanced, etc.
Atlas.
The operating system and version (e.g. Windows 7, OSX 10.8, ...)
linux? does it matter?
Security Vulnerabilities
If you’ve identified a security vulnerability in a driver or any other MongoDB project, please report it according to the instructions here