Skip to content

Commit 4d0517b

Browse files
gagikgagik
committed
feat: add shouldRedactCommand
1 parent 93b40a8 commit 4d0517b

File tree

2 files changed

+79
-0
lines changed

2 files changed

+79
-0
lines changed

packages/mongodb-redact/src/should-redact-command.spec.ts

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
import { expect } from 'chai';
2+
import { shouldRedactCommand } from '.';
3+
4+
describe('shouldRedactCommand', function () {
5+
describe('shouldRedactCommand', function () {
6+
it('returns true for createUser commands', function () {
7+
expect(shouldRedactCommand('db.createUser({ user: "test" })')).to.be.true;
8+
});
9+
10+
it('returns true for auth commands', function () {
11+
expect(shouldRedactCommand('db.auth("user", "pass")')).to.be.true;
12+
});
13+
14+
it('returns true for updateUser commands', function () {
15+
expect(shouldRedactCommand('db.updateUser("user", { roles: [] })')).to.be
16+
.true;
17+
});
18+
19+
it('returns true for changeUserPassword commands', function () {
20+
expect(shouldRedactCommand('db.changeUserPassword("user", "newpass")')).to
21+
.be.true;
22+
});
23+
24+
it('returns true for connect commands', function () {
25+
expect(shouldRedactCommand('db = connect("mongodb://localhost")')).to.be
26+
.true;
27+
});
28+
29+
it('returns true for Mongo constructor', function () {
30+
expect(shouldRedactCommand('new Mongo("mongodb://localhost")')).to.be
31+
.true;
32+
});
33+
34+
it('returns false for non-sensitive commands', function () {
35+
expect(shouldRedactCommand('db.collection.find()')).to.be.false;
36+
});
37+
38+
it('returns false for partial words like "authentication"', function () {
39+
// The \b (word boundary) should prevent matching "auth" within "authentication"
40+
expect(shouldRedactCommand('db.collection.find({authentication: true})'))
41+
.to.be.false;
42+
});
43+
44+
it('returns false for getUsers command', function () {
45+
expect(shouldRedactCommand('db.getUsers()')).to.be.false;
46+
});
47+
48+
it('returns false for show commands', function () {
49+
expect(shouldRedactCommand('show dbs')).to.be.false;
50+
});
51+
});
52+
});

packages/mongodb-redact/src/should-redact-command.ts

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
/**
2+
* Regex pattern for commands that contain sensitive information and should be
3+
* completely removed from history rather than redacted.
4+
*
5+
* These commands typically involve authentication or connection strings with credentials.
6+
*/
7+
const HIDDEN_COMMANDS = String.raw`\b(createUser|auth|updateUser|changeUserPassword|connect|Mongo)\b`;
8+
9+
/**
10+
* Checks if a mongosh command should be redacted because it often contains sensitive information like credentials.
11+
*
12+
* @param input - The command string to check
13+
* @returns true if the command should be hidden/redacted, false otherwise
14+
*
15+
* @example
16+
* ```typescript
17+
* shouldRedactCommand('db.createUser({user: "admin", pwd: "secret"})')
18+
* // Returns: true
19+
*
20+
* shouldRedactCommand('db.getUsers()')
21+
* // Returns: false
22+
* ```
23+
*/
24+
export function shouldRedactCommand(input: string): boolean {
25+
const hiddenCommands = new RegExp(HIDDEN_COMMANDS, 'g');
26+
return hiddenCommands.test(input);
27+
}

0 commit comments

Comments
 (0)