[SERVER-30997] mongo cli --password is masked, but not when using mongodb:// connection string Created: 07/Sep/17  Updated: 30/Oct/23  Resolved: 30/Jul/18

Status: Closed
Project: Core Server
Component/s: Tools
Affects Version/s: 3.4.7
Fix Version/s: 3.6.9, 4.0.3, 4.1.2

Type: Improvement Priority: Minor - P4
Reporter: Aaron Queen Assignee: Jonathan Reams
Resolution: Fixed Votes: 0
Labels: mongo, security, tools
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Linux


Issue Links:
Backports
Depends
Related
related to SERVER-36744 Command-line redaction in the shell m... Closed
is related to TOOLS-1782 Mask password from being displayed in... Closed
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.0, v3.6, v3.4
Sprint: Platforms 2018-07-30
Participants:
Linked BF Score: 0

 Description   

When using the following:

$ mongo --host 127.0.0.1 --user admin --password superSecret12345
$ ps auxww | grep mongo
$ mongo mongodb://admin:superSecret12345@127.0.0.1/
$ ps auxww | grep mongo

You see that --password value has been masked with "x" characters, so you don't easily expose the password to others. However, when connecting using the mongodb:// connection string, which is still waiting to be documented ( DOCS-9033 ) , the password is not masked.

In the mongodb:// method as well, the password is also leaked into the stdout of the cli when it displays "connecting to: mongodb://admin:superSecret12345@127.0.0.1/"

I believe these should be masked in the same way, so the password is never displayed in the running process cmdline or in the stdout line displayed saying it is connecting.



 Comments   
Comment by Githook User [ 24/Sep/18 ]

Author:

{'name': 'Ian Boros', 'email': 'ian.boros@10gen.com'}

Message: SERVER-30997 fix error code

(cherry picked from commit 40a611d43c5a33f72066ffcf26708e43bbd4cd16)
Branch: v3.6
https://github.com/mongodb/mongo/commit/5ad044f08a123fd46ee0d0aefcb92feb65bc9808

Comment by Githook User [ 24/Sep/18 ]

Author:

{'name': 'Jonathan Reams', 'email': 'jbreams@mongodb.com', 'username': 'jbreams'}

Message: SERVER-30997 Redact passwords and options from MongoURI in shell command line

(cherry picked from commit 35898a0c48b0bb1bcb0a69f7db646d2fda4ec5de)
Branch: v3.6
https://github.com/mongodb/mongo/commit/0127c73e91466d592419d01504800f0d599ec66f

Comment by Githook User [ 24/Sep/18 ]

Author:

{'name': 'Ian Boros', 'email': 'ian.boros@10gen.com'}

Message: SERVER-30997 fix error code

(cherry picked from commit 40a611d43c5a33f72066ffcf26708e43bbd4cd16)
Branch: v4.0
https://github.com/mongodb/mongo/commit/69dd60bb3937d2663c397e1e28238c4f63f02c5b

Comment by Githook User [ 24/Sep/18 ]

Author:

{'name': 'Jonathan Reams', 'email': 'jbreams@mongodb.com', 'username': 'jbreams'}

Message: SERVER-30997 Redact passwords and options from MongoURI in shell command line

(cherry picked from commit 35898a0c48b0bb1bcb0a69f7db646d2fda4ec5de)
Branch: v4.0
https://github.com/mongodb/mongo/commit/61ec2c71ccf85655581df077518843c6d191027c

Comment by Githook User [ 30/Jul/18 ]

Author:

{'name': 'Ian Boros', 'email': 'ian.boros@10gen.com'}

Message: SERVER-30997 fix error code
Branch: master
https://github.com/mongodb/mongo/commit/40a611d43c5a33f72066ffcf26708e43bbd4cd16

Comment by Githook User [ 30/Jul/18 ]

Author:

{'name': 'Jonathan Reams', 'email': 'jbreams@mongodb.com', 'username': 'jbreams'}

Message: SERVER-30997 Redact passwords and options from MongoURI in shell command line
Branch: master
https://github.com/mongodb/mongo/commit/35898a0c48b0bb1bcb0a69f7db646d2fda4ec5de

Comment by Ramon Fernandez Marina [ 09/Sep/17 ]

Thanks for your report aqueen. I tried reproducing in MacOS with the latest development version and in both cases the password is not masked. Sending to the Platform team for consideration.

Regards,
Ramón.

Generated at Thu Feb 08 04:25:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.