[JAVA-3093] Connection string is displayed with password in logs if it contains an invalid key Created: 14/Nov/18  Updated: 28/Oct/23  Resolved: 15/Nov/18

Status: Closed
Project: Java Driver
Component/s: Security
Affects Version/s: 3.6.4, 3.7.1, 3.9.0
Fix Version/s: 3.9.1

Type: Bug Priority: Major - P3
Reporter: Ravi Natesan Assignee: Jeffrey Yemin
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Backwards Compatibility: Minor Change

 Description   

Sample Code to recreate:

String  mongoUriString= "mongodb://username123:password123@abcmongo1.cloud,abcmongo2.cloud,abcmongo3.cloud/database123?replicaSet=mongorepl1&adsada=1000"

MongoClientURI mongoClientURI = new MongoClientURI(mongoUriString)

 

The above code will log,

2018-11-14 15:18:53.692 WARN docgen — [ost-startStop-1] org.mongodb.driver.uri : Unsupported option 'adsada' in the connection string 'mongodb://username123:password123@abcmongo1.cloud,abcmongo2.cloud,abcmongo3.cloud/database123?replicaSet=mongorepl1&adsada=1000'.

 

I think we should not be logging the connection string in the log.



 Comments   
Comment by Ravi Natesan [ 15/Nov/18 ]

Thanks Jeff for fixing it quickly!!

Comment by Githook User [ 15/Nov/18 ]

Author:

{'name': 'Jeff Yemin', 'email': 'jeff.yemin@10gen.com', 'username': 'jyemin'}

Message: Remove connection string from log message

A connection string containing an unsupported option generates a log
message at warning level to the "org.mongodb.driver.uri" component. The
log message contains the full connection string. As the connection
string may contain the credentials used to authenticate, it should not
be logged. This commit removes the full connection string from the log
message, and instead just logs the name of the unsupported option.

JAVA-3093
Branch: 3.9.x
https://github.com/mongodb/mongo-java-driver/commit/dc3c177693d41b0495c9ca3b5d094fb9c3a23bf5

Comment by Githook User [ 15/Nov/18 ]

Author:

{'name': 'Jeff Yemin', 'email': 'jeff.yemin@10gen.com', 'username': 'jyemin'}

Message: Remove connection string from log message

A connection string containing an unsupported option generates a log
message at warning level to the "org.mongodb.driver.uri" component. The
log message contains the full connection string. As the connection
string may contain the credentials used to authenticate, it should not
be logged. This commit removes the full connection string from the log
message, and instead just logs the name of the unsupported option.

JAVA-3093
Branch: master
https://github.com/mongodb/mongo-java-driver/commit/be043577c9529d487783349f9688372f37818004

Generated at Thu Feb 08 08:58:46 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.