Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Critical - P2
Fix Version/s: 1.0.3
Affects Version/s: 1.0.2
Component/s: Error Handling
Labels:
- security

Confidence Status:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

When a URI Parsing error is encountered the return is the URI (conn string) and the parse error. The error contains, in the message, the URI passed to the parse function. Downstream consumers of the driver do not necessarily have that implementation detail and may pass the error on further downstream. Since the URI may contain sensitive information (passwords) these errors may inadvertently leak credentials.

https://github.com/mongodb/mongo-go-driver/blob/c2a43c080082db26ed2d6fb44026ce1d00a983a7/x/mongo/driver/connstring/connstring.go#L29

backported by

GODRIVER-1087 Backport "Can leak creds through errors from URI Parsing"

Closed

Assignee:: Isabella Siu (Inactive)
Reporter:: Scott L'Hommedieu (Inactive)
Votes:: 0 Vote for this issue
Watchers:: 4 Start watching this issue

Created:: May 22 2019 11:44:59 PM UTC
Updated:: Oct 28 2023 11:38:48 AM UTC
Resolved:: May 24 2019 07:20:14 PM UTC
Confidence Status Last Update:: 23/May/19 8:13 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates