-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Major - P3
-
Affects Version/s: None
-
Component/s: Connection String
-
None
-
(copied to CRM)
-
Fully Compatible
-
Java Drivers
-
Not Needed
-
Summary
The following malformed connection string throws an IllegalArgumentException that contains sensitive data in its message.
MongoClient mongoClient = MongoClients.create("mongodb+srv://tse:foo/@localhost");
or
ConnectionString connectionString = new ConnectionString("mongodb+srv://tse:foo/@localhost");
Exception in thread "main" java.lang.IllegalArgumentException: The connection string contains an invalid host 'tse:foo'. The port 'foo' is not a valid, it must be an integer between 0 and 65535
at com.mongodb.ConnectionString.validatePort(ConnectionString.java:1189)
at com.mongodb.ConnectionString.parseHosts(ConnectionString.java:1169)
at com.mongodb.ConnectionString.<init>(ConnectionString.java:396)
at com.mongodb.ConnectionString.<init>(ConnectionString.java:321)
...
This can cause the sensitive data to be logged by the application.
How to Reproduce
Instantiate a MongoClient or ConnectionString using a password containing a forward slash that is not properly URL encoded.
- is related to
-
-
- Closed
-
-
DRIVERS-2950 Drivers connection string parsing logic can print secrets in logs.
-
- Backlog
-