Loading...

XML

Word

Printable

JSON

Type: Improvement
Resolution: Fixed
Priority: Minor - P4
Fix Version/s: 3.6.9, 4.0.3, 4.1.2
Affects Version/s: 3.4.7
Component/s: Tools
Labels:
- mongo
- security
- tools
Environment:
Linux

Backwards Compatibility:
Fully Compatible
Backport Requested:

v4.0, v3.6, v3.4
Sprint:
Platforms 2018-07-30
Linked BF Score:
0
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

When using the following:

$ mongo --host 127.0.0.1 --user admin --password superSecret12345
$ ps auxww | grep mongo
$ mongo mongodb://admin:superSecret12345@127.0.0.1/
$ ps auxww | grep mongo

You see that --password value has been masked with "x" characters, so you don't easily expose the password to others. However, when connecting using the mongodb:// connection string, which is still waiting to be documented ( DOCS-9033 ) , the password is not masked.

In the mongodb:// method as well, the password is also leaked into the stdout of the cli when it displays "connecting to: mongodb://admin:superSecret12345@127.0.0.1/"

I believe these should be masked in the same way, so the password is never displayed in the running process cmdline or in the stdout line displayed saying it is connecting.

is related to

TOOLS-1782 Mask password from being displayed in process list

Closed

related to

SERVER-36744 Command-line redaction in the shell misses some common cases

Closed

Assignee:: Jonathan Reams
Reporter:: Aaron Queen
Participants:: Aaron Queen, Githook User, Jonathan Reams, Ramon Fernandez Marina
Votes:: 0 Vote for this issue
Watchers:: 10 Start watching this issue

Created:: Sep 07 2017 09:26:20 PM UTC
Updated:: Oct 30 2023 11:13:45 PM UTC
Resolved:: Jul 30 2018 03:51:47 PM UTC
Confidence Status Last Update:: 23/Jul/18 8:06 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates