Uploaded image for project: 'Go Driver'
  1. Go Driver
  2. GODRIVER-3134

URL Parser logs connection credentials when invalid characters are encountered

    • Type: Icon: Bug Bug
    • Resolution: Gone away
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 1.11.7
    • Component/s: None
    • None
    • Go Drivers

      Detailed steps to reproduce the problem?

      When we accidentally had a bad character in a connection string, the parser failed (yay!) but logged the full connection string (not yay!).  The username and password were included.  This should be secure information.  Once it was in our logs... not so secret anymore.

      _I was trying to follow the description in https://jira.mongodb.org/browse/GODRIVER-3092_
      I'm not sure if this is a viable fix for us, without testing it first.  I don't even see the part of the parser that returns the error code I see reported.

      Here are the steps, though.
      1. Set the conn string uri to "mongodb+srv://username:password@myatlas-0.xxxnnn.mongodb.net/collection\n"
      2. call connString, err := connstring.Parse(uri)
      3. Find logged error: 
      error: parse "mongodb+srv://username:password@myatlas-0.xxxnnn.mongodb.net/collection\n": net/url: invalid control character in URL
         level: error

      Definition of done: what must be done to consider the task complete?

      Please don't log connection credentials in error strings

      The exact Go version used, with patch level:

      $ go version 

      1.20

      The exact version of the Go driver used:

      $ go list -m go.mongodb.org/mongo-driver
      1.11.7

      Describe how MongoDB is set up. Local vs Hosted, version, topology, load balanced, etc.

      Atlas.

      The operating system and version (e.g. Windows 7, OSX 10.8, ...)

      linux? does it matter?

      Security Vulnerabilities

      If you’ve identified a security vulnerability in a driver or any other MongoDB project, please report it according to the instructions here

            Assignee:
            matt.dale@mongodb.com Matt Dale
            Reporter:
            richard.gerrard@qlik.com Richard Gerrard
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: