[GODRIVER-3062] Scram Authenticator will add password string to error message Created: 28/Nov/23  Updated: 07/Feb/24  Resolved: 04/Jan/24

Status: Closed
Project: Go Driver
Component/s: Authentication
Affects Version/s: 1.9.1, 1.13.0
Fix Version/s: 1.13.2

Type: Bug Priority: Unknown
Reporter: Matthew Hezzlewood Assignee: Qingyang Hu
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to GODRIVER-216 SCRAM-SHA-256 Support Closed
Documentation Changes: Not Needed
Documentation Changes Summary:

1. What would you like to communicate to the user about this feature?
2. Would you like the user to see examples of the syntax and/or executable code and its output?
3. Which versions of the driver/connector does this apply to?


 Description   

Detailed steps to reproduce the problem?

You can reproduce the problem by adding an invalid character (`\n`) in the password

cred := options.Credential{
        Username: "example@example.com",
        Password: "badpassword\n",
    }
opts := options.
    Client().
    ApplyURI("mongodb://localhost:1234").
    SetAuth(cred)
_, err := mongo.NewClient(opts)
print(err)

The error you see is:

could not create client, err: failed to create internal authenticator: error SASLprepping password 'badpassword
                            ': prohibited character (rune: '\u000a')

It looks like the culprit is this line

Definition of done: what must be done to consider the task complete?

The error containing the password is propagated all the way up to the calling consumer. Who then doesn't want to have to scrub their logs of password and lose out on vital information on what is going wrong. I would leave in the error returned from `stringprep.SASLprep.Prepare(cred.Password)` but not add the password to the error string.

The exact Go version used, with patch level:

1.21.4

The exact version of the Go driver used:

v1.9.1 (problem still in latest)

Security Vulnerabilities

If you’ve identified a security vulnerability in a driver or any other MongoDB project, please report it according to the instructions here



 Comments   
Comment by Githook User [ 07/Feb/24 ]

Author:

{'name': 'Qingyang Hu', 'email': '103950869+qingyang-hu@users.noreply.github.com', 'username': 'qingyang-hu'}

Message: GODRIVER-3062 Remove password string from error message. (#1547)
Branch: v1
https://github.com/mongodb/mongo-go-driver/commit/751c147a00c919163a4f21286b3ec3af0413e324

Comment by Githook User [ 04/Jan/24 ]

Author:

{'name': 'Qingyang Hu', 'email': '103950869+qingyang-hu@users.noreply.github.com', 'username': 'qingyang-hu'}

Message: GODRIVER-3062 Remove password string from error message. (#1508)
Branch: master
https://github.com/mongodb/mongo-go-driver/commit/cee488eb40bac434a31974e401156d8d71d2d9c6

Comment by PM Bot [ 28/Nov/23 ]

Hi mhezzlewood@slb.com, thank you for reporting this issue! The team will look into it and get back to you soon.

Generated at Thu Feb 08 08:39:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.