Uploaded image for project: 'Go Driver'
  1. Go Driver
  2. GODRIVER-3062

Scram Authenticator will add password string to error message

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Unknown Unknown
    • 1.13.2
    • Affects Version/s: 1.9.1, 1.13.0
    • Component/s: Authentication
    • None
    • Not Needed
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?

      Detailed steps to reproduce the problem?

      You can reproduce the problem by adding an invalid character (`\n`) in the password

      cred := options.Credential{
              Username: "example@example.com",
              Password: "badpassword\n",
          }
      opts := options.
          Client().
          ApplyURI("mongodb://localhost:1234").
          SetAuth(cred)
      _, err := mongo.NewClient(opts)
      print(err)

      The error you see is:

      could not create client, err: failed to create internal authenticator: error SASLprepping password 'badpassword
                                  ': prohibited character (rune: '\u000a')

      It looks like the culprit is this line

      Definition of done: what must be done to consider the task complete?

      The error containing the password is propagated all the way up to the calling consumer. Who then doesn't want to have to scrub their logs of password and lose out on vital information on what is going wrong. I would leave in the error returned from `stringprep.SASLprep.Prepare(cred.Password)` but not add the password to the error string.

      The exact Go version used, with patch level:

      1.21.4

      The exact version of the Go driver used:

      v1.9.1 (problem still in latest)

      Security Vulnerabilities

      If you’ve identified a security vulnerability in a driver or any other MongoDB project, please report it according to the instructions here

            Assignee:
            qingyang.hu@mongodb.com Qingyang Hu
            Reporter:
            mhezzlewood@slb.com Matthew Hezzlewood
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: