-
Type: Bug
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Connection String
-
None
-
(copied to CRM)
-
Fully Compatible
-
Java Drivers
-
Not Needed
-
Summary
The following malformed connection string throws an IllegalArgumentException that contains sensitive data in its message.
MongoClient mongoClient = MongoClients.create("mongodb+srv://tse:foo/@localhost");
or
ConnectionString connectionString = new ConnectionString("mongodb+srv://tse:foo/@localhost");
Exception in thread "main" java.lang.IllegalArgumentException: The connection string contains an invalid host 'tse:foo'. The port 'foo' is not a valid, it must be an integer between 0 and 65535 at com.mongodb.ConnectionString.validatePort(ConnectionString.java:1189) at com.mongodb.ConnectionString.parseHosts(ConnectionString.java:1169) at com.mongodb.ConnectionString.<init>(ConnectionString.java:396) at com.mongodb.ConnectionString.<init>(ConnectionString.java:321) ...
This can cause the sensitive data to be logged by the application.
How to Reproduce
Instantiate a MongoClient or ConnectionString using a password containing a forward slash that is not properly URL encoded.
- is related to
-
PYTHON-4588 Connection string parser allows invalid passwords, prints passwords
- Closed
-
DRIVERS-2950 Drivers connection string parsing logic can print secrets in logs.
- Backlog