feat(mongodb-react): add shouldRedactCommand, redactUriCredentials MONGOSH-2991 (#599)

Author: gagik

package-lock.json

@@ -28,7 +28,7 @@ export function hookLogger(
   emitter: ConnectLogEmitter,
   log: MongoLogWriter,
   contextPrefix: string,
-  redactURICredentials: (uri: string) => string,
+  redactConnectionString: (uri: string) => string,
 ): void {
   oidcHookLogger(emitter, log, contextPrefix);
   proxyHookLogger(emitter, log, contextPrefix);
@@ -44,7 +44,7 @@ export function hookLogger(
         'Initiating connection attempt',
         {
           ...ev,
-          uri: redactURICredentials(ev.uri),
+          uri: redactConnectionString(ev.uri),
         },
       );
     },
@@ -119,7 +119,7 @@ export function hookLogger(
         `${contextPrefix}-connect`,
         'Resolving SRV record failed',
         {
-          from: redactURICredentials(ev.from),
+          from: redactConnectionString(ev.from),
           error: ev.error?.message,
           duringLoad: ev.duringLoad,
           resolutionDetails: ev.resolutionDetails,
@@ -138,8 +138,8 @@ export function hookLogger(
         `${contextPrefix}-connect`,
         'Resolving SRV record succeeded',
         {
-          from: redactURICredentials(ev.from),
-          to: redactURICredentials(ev.to),
+          from: redactConnectionString(ev.from),
+          to: redactConnectionString(ev.to),
           resolutionDetails: ev.resolutionDetails,
           durationMs: ev.durationMs,
         },

packages/devtools-connect/src/log-hook.ts

@@ -71,6 +71,7 @@
     "typescript": "^5.0.4"
   },
   "dependencies": {
-    "regexp.escape": "^2.0.1"
+    "regexp.escape": "^2.0.1",
+    "mongodb-connection-string-url": "^3.0.1 || ^7.0.0"
   }
 }

packages/mongodb-redact/package.json

@@ -46,5 +46,8 @@ export function redact<T>(
   return message;
 }
 
+export { shouldRedactCommand } from './should-redact-command';
+export { redactConnectionString } from './redact-connection-string';
+
 export default redact;
 export type { Secret } from './secrets';

packages/mongodb-redact/src/index.ts

@@ -0,0 +1,173 @@
+import { expect } from 'chai';
+import { redactConnectionString } from './redact-connection-string';
+import redact from '.';
+
+describe('redactConnectionString', function () {
+  const testCases: Array<{
+    description: string;
+    input: string;
+    expected: string;
+  }> = [
+    {
+      description: 'should redact username and password',
+      input: 'mongodb://user:password@localhost:27017/admin',
+      expected: 'mongodb://<credentials>@localhost:27017/admin',
+    },
+    {
+      description: 'should redact only username when no password',
+      input: 'mongodb://user@localhost:27017/admin',
+      expected: 'mongodb://<credentials>@localhost:27017/admin',
+    },
+    {
+      description: 'should redact credentials in SRV URIs',
+      input: 'mongodb+srv://admin:[email protected]/test',
+      expected: 'mongodb+srv://<credentials>@cluster0.example.com/test',
+    },
+    {
+      description: 'should redact passwords with ! character',
+      input: 'mongodb://user:p@ss!word@localhost:27017/',
+      expected: 'mongodb://<credentials>@localhost:27017/',
+    },
+    {
+      description: 'should redact passwords with # character',
+      input: 'mongodb://admin:test#[email protected]:27017/',
+      expected: 'mongodb://<credentials>@db.example.com:27017/',
+    },
+    {
+      description: 'should redact passwords with $ character',
+      input: 'mongodb://user:price$100@localhost:27017/',
+      expected: 'mongodb://<credentials>@localhost:27017/',
+    },
+    {
+      description: 'should redact passwords with % character',
+      input: 'mongodb://user:test%pass@localhost:27017/',
+      expected: 'mongodb://<credentials>@localhost:27017/',
+    },
+    {
+      description: 'should redact passwords with & character',
+      input: 'mongodb://user:rock&roll@localhost:27017/',
+      expected: 'mongodb://<credentials>@localhost:27017/',
+    },
+    {
+      description: 'should redact URL-encoded passwords',
+      input: 'mongodb://user:my%20password@localhost:27017/',
+      expected: 'mongodb://<credentials>@localhost:27017/',
+    },
+    {
+      description:
+        'should redact complex passwords with multiple special characters',
+      input: 'mongodb://user:p&ssw!rd#[email protected]:27017/db?authSource=admin',
+      expected: 'mongodb://<credentials>@host.com:27017/db?authSource=admin',
+    },
+    {
+      description: 'should redact usernames with special characters',
+      input: 'mongodb://us!er:password@localhost:27017/',
+      expected: 'mongodb://<credentials>@localhost:27017/',
+    },
+    {
+      description: 'should return URI unchanged when no credentials',
+      input: 'mongodb://localhost:27017/admin',
+      expected: 'mongodb://localhost:27017/admin',
+    },
+    {
+      description: 'should handle simple localhost URI',
+      input: 'mongodb://localhost',
+      expected: 'mongodb://localhost/',
+    },
+    {
+      description: 'should handle URI with database',
+      input: 'mongodb://localhost/mydb',
+      expected: 'mongodb://localhost/mydb',
+    },
+    {
+      description: 'should handle URI with query parameters',
+      input: 'mongodb://localhost:27017/mydb?ssl=true&replicaSet=rs0',
+      expected: 'mongodb://localhost:27017/mydb?ssl=true&replicaSet=rs0',
+    },
+    // URIs with replica sets
+    {
+      description: 'should redact credentials in replica set URIs',
+      input:
+        'mongodb://user:pass@host1:27017,host2:27017,host3:27017/db?replicaSet=rs0',
+      expected:
+        'mongodb://<credentials>@host1:27017,host2:27017,host3:27017/db?replicaSet=rs0',
+    },
+    {
+      description: 'should handle replica set URIs without credentials',
+      input:
+        'mongodb://host1:27017,host2:27017,host3:27017/?replicaSet=myReplSet',
+      expected:
+        'mongodb://host1:27017,host2:27017,host3:27017/?replicaSet=myReplSet',
+    },
+    // URIs with IP addresses
+    {
+      description: 'should redact credentials with IP address host',
+      input: 'mongodb://user:[email protected]:27017/mydb',
+      expected: 'mongodb://<credentials>@192.168.1.100:27017/mydb',
+    },
+    {
+      description: 'should handle IP address URIs without credentials',
+      input: 'mongodb://10.0.0.5:27017/admin',
+      expected: 'mongodb://10.0.0.5:27017/admin',
+    },
+    // SRV URIs
+    {
+      description: 'should handle SRV URIs without credentials',
+      input: 'mongodb+srv://cluster0.example.com/test',
+      expected: 'mongodb+srv://cluster0.example.com/test',
+    },
+    // URIs with query parameters
+    {
+      description: 'should redact credentials and preserve query parameters',
+      input:
+        'mongodb://user:[email protected]/db?authSource=admin&readPreference=primary',
+      expected:
+        'mongodb://<credentials>@host.com/db?authSource=admin&readPreference=primary',
+    },
+    {
+      description: 'should handle URIs with SSL options',
+      input:
+        'mongodb://admin:secret@localhost:27017/mydb?ssl=true&tlsAllowInvalidCertificates=true',
+      expected:
+        'mongodb://<credentials>@localhost:27017/mydb?ssl=true&tlsAllowInvalidCertificates=true',
+    },
+    {
+      description: 'should redact credentials in SRV URIs with query params',
+      input:
+        'mongodb+srv://admin:[email protected]/mydb?retryWrites=true',
+      expected:
+        'mongodb+srv://<credentials>@mycluster.mongodb.net/mydb?retryWrites=true',
+    },
+    // Edge cases
+    {
+      description: 'should handle empty password',
+      input: 'mongodb://user:@localhost:27017/',
+      expected: 'mongodb://<credentials>@localhost:27017/',
+    },
+    {
+      description:
+        'should handle password with only special characters (URL-encoded)',
+      input: 'mongodb://user:%21%40%23%24%25@localhost:27017/',
+      expected: 'mongodb://<credentials>@localhost:27017/',
+    },
+    {
+      description: 'should handle very long passwords',
+      input: `mongodb://user:${'a'.repeat(100)}@localhost:27017/`,
+      expected: 'mongodb://<credentials>@localhost:27017/',
+    },
+    {
+      description: 'should handle international characters in password',
+      input: 'mongodb://user:пароль@localhost:27017/',
+      expected: 'mongodb://<credentials>@localhost:27017/',
+    },
+  ];
+
+  testCases.forEach(({ description, input, expected }) => {
+    it(description, function () {
+      const result = redactConnectionString(input);
+      expect(result).to.equal(expected);
+
+      expect(redact(input)).to.equal('<mongodb uri>');
+    });
+  });
+});

packages/mongodb-redact/src/redact-connection-string.spec.ts

@@ -0,0 +1,5 @@
+import { redactConnectionString as redactConnectionStringImpl } from 'mongodb-connection-string-url';
+
+export function redactConnectionString(uri: string): string {
+  return redactConnectionStringImpl(uri);
+}

packages/mongodb-redact/src/redact-connection-string.ts

@@ -0,0 +1,28 @@
+import { expect } from 'chai';
+import { shouldRedactCommand } from '.';
+
+describe('shouldRedactCommand', function () {
+  for (const command of [
+    'db.createUser({ user: "test" })',
+    'db.auth("user", "pass")',
+    'db.updateUser("user", { roles: [] })',
+    'db.changeUserPassword("user", "newpass")',
+    'db = connect("mongodb://localhost")',
+    'new Mongo("mongodb://localhost")',
+  ]) {
+    it(`returns true for ${command}`, function () {
+      expect(shouldRedactCommand(command)).to.be.true;
+    });
+  }
+
+  for (const command of [
+    'db.collection.find()',
+    'db.collection.find({authentication: true})',
+    'db.getUsers()',
+    'show dbs',
+  ]) {
+    it(`returns false for ${command}`, function () {
+      expect(shouldRedactCommand(command)).to.be.false;
+    });
+  }
+});

packages/mongodb-redact/src/should-redact-command.spec.ts

@@ -0,0 +1,27 @@
+/**
+ * Regex pattern for commands that contain sensitive information and should be
+ * completely removed from history rather than redacted.
+ *
+ * These commands typically involve authentication or connection strings with credentials.
+ */
+const HIDDEN_COMMANDS = String.raw`\b(createUser|auth|updateUser|changeUserPassword|connect|Mongo)\b`;
+
+/**
+ * Checks if a mongosh command should be redacted because it often contains sensitive information like credentials.
+ *
+ * @param input - The command string to check
+ * @returns true if the command should be hidden/redacted, false otherwise
+ *
+ * @example
+ * ```typescript
+ * shouldRedactCommand('db.createUser({user: "admin", pwd: "secret"})')
+ * // Returns: true
+ *
+ * shouldRedactCommand('db.getUsers()')
+ * // Returns: false
+ * ```
+ */
+export function shouldRedactCommand(input: string): boolean {
+  const hiddenCommands = new RegExp(HIDDEN_COMMANDS, 'g');
+  return hiddenCommands.test(input);
+}