feat: add shouldRedactCommand

gagik · gagik · commit 7209ba0869b4 · 2025-11-18T12:51:02.000+01:00
diff --git a/packages/mongodb-redact/src/index.spec.ts b/packages/mongodb-redact/src/index.spec.ts
@@ -161,13 +161,82 @@ describe('mongodb-redact', function () {
       expect(res).to.equal('<url>');
     });
 
-    it('should redact MongoDB connection URIs', function () {
-      let res = redact(
-        'mongodb://db1.example.net,db2.example.net:2500/?replicaSet=test&connectTimeoutMS=300000',
-      );
-      expect(res).to.equal('<mongodb uri>');
-      res = redact('mongodb://localhost,localhost:27018,localhost:27019');
-      expect(res).to.equal('<mongodb uri>');
+    describe('MongoDB connection strings', function () {
+      it('should redact MongoDB connection URIs', function () {
+        let res = redact(
+          'mongodb://db1.example.net,db2.example.net:2500/?replicaSet=test&connectTimeoutMS=300000',
+        );
+        expect(res).to.equal('<mongodb uri>');
+        res = redact('mongodb://localhost,localhost:27018,localhost:27019');
+        expect(res).to.equal('<mongodb uri>');
+      });
+
+      it('should redact MongoDB URIs with credentials', function () {
+        let res = redact('mongodb://user:password@localhost:27017/admin');
+        expect(res).to.equal('<mongodb uri>');
+        res = redact('mongodb://admin:secret123@db.example.com/mydb');
+        expect(res).to.equal('<mongodb uri>');
+      });
+
+      it('should redact MongoDB URIs with special characters in usernames and passwords', function () {
+        let res = redact('mongodb://user:p%40ss!word@localhost:27017/');
+        expect(res).to.equal('<mongodb uri>');
+        res = redact('mongodb://ad!min:te%st#123$@db.example.com:27017/');
+        expect(res).to.equal('<mongodb uri>');
+        res = redact('mongodb://!user:my%20pass@localhost/mydb');
+        expect(res).to.equal('<mongodb uri>');
+        res = redact(
+          'mongodb://user:p&ssw!rd#123@host.com:27017/db?authSource=admin',
+        );
+        expect(res).to.equal('<mongodb uri>');
+      });
+
+      it('should redact MongoDB SRV URIs', function () {
+        let res = redact(
+          'mongodb+srv://user:password@cluster0.example.com/test',
+        );
+        expect(res).to.equal('<mongodb uri>');
+        res = redact(
+          'mongodb+srv://admin:secret@mycluster.mongodb.net/mydb?retryWrites=true',
+        );
+        expect(res).to.equal('<mongodb uri>');
+      });
+
+      it('should redact MongoDB URIs with query parameters', function () {
+        let res = redact(
+          'mongodb://localhost:27017/mydb?ssl=true&replicaSet=rs0',
+        );
+        expect(res).to.equal('<mongodb uri>');
+        res = redact(
+          'mongodb://user:pass@host.com/db?authSource=admin&readPreference=primary',
+        );
+        expect(res).to.equal('<mongodb uri>');
+      });
+
+      it('should redact MongoDB URIs with replica sets', function () {
+        let res = redact(
+          'mongodb://host1:27017,host2:27017,host3:27017/?replicaSet=myReplSet',
+        );
+        expect(res).to.equal('<mongodb uri>');
+        res = redact('mongodb://user:pass@host1,host2,host3/db?replicaSet=rs0');
+        expect(res).to.equal('<mongodb uri>');
+      });
+
+      it('should redact MongoDB URIs with IP addresses', function () {
+        let res = redact('mongodb://192.168.1.100:27017/mydb');
+        expect(res).to.equal('<mongodb uri>');
+        res = redact('mongodb://user:password@10.0.0.5:27017/admin');
+        expect(res).to.equal('<mongodb uri>');
+      });
+
+      it('should redact simple MongoDB URIs', function () {
+        let res = redact('mongodb://localhost');
+        expect(res).to.equal('<mongodb uri>');
+        res = redact('mongodb://localhost:27017');
+        expect(res).to.equal('<mongodb uri>');
+        res = redact('mongodb://localhost/mydb');
+        expect(res).to.equal('<mongodb uri>');
+      });
     });
 
     it('should redact general linux/unix user paths', function () {
diff --git a/packages/mongodb-redact/src/index.ts b/packages/mongodb-redact/src/index.ts
@@ -46,5 +46,7 @@ export function redact<T>(
   return message;
 }
 
+export { shouldRedactCommand } from './should-redact-command';
+
 export default redact;
 export type { Secret } from './secrets';
diff --git a/packages/mongodb-redact/src/should-redact-command.spec.ts b/packages/mongodb-redact/src/should-redact-command.spec.ts
@@ -0,0 +1,52 @@
+import { expect } from 'chai';
+import { shouldRedactCommand } from '.';
+
+describe('shouldRedactCommand', function () {
+  describe('shouldRedactCommand', function () {
+    it('returns true for createUser commands', function () {
+      expect(shouldRedactCommand('db.createUser({ user: "test" })')).to.be.true;
+    });
+
+    it('returns true for auth commands', function () {
+      expect(shouldRedactCommand('db.auth("user", "pass")')).to.be.true;
+    });
+
+    it('returns true for updateUser commands', function () {
+      expect(shouldRedactCommand('db.updateUser("user", { roles: [] })')).to.be
+        .true;
+    });
+
+    it('returns true for changeUserPassword commands', function () {
+      expect(shouldRedactCommand('db.changeUserPassword("user", "newpass")')).to
+        .be.true;
+    });
+
+    it('returns true for connect commands', function () {
+      expect(shouldRedactCommand('db = connect("mongodb://localhost")')).to.be
+        .true;
+    });
+
+    it('returns true for Mongo constructor', function () {
+      expect(shouldRedactCommand('new Mongo("mongodb://localhost")')).to.be
+        .true;
+    });
+
+    it('returns false for non-sensitive commands', function () {
+      expect(shouldRedactCommand('db.collection.find()')).to.be.false;
+    });
+
+    it('returns false for partial words like "authentication"', function () {
+      // The \b (word boundary) should prevent matching "auth" within "authentication"
+      expect(shouldRedactCommand('db.collection.find({authentication: true})'))
+        .to.be.false;
+    });
+
+    it('returns false for getUsers command', function () {
+      expect(shouldRedactCommand('db.getUsers()')).to.be.false;
+    });
+
+    it('returns false for show commands', function () {
+      expect(shouldRedactCommand('show dbs')).to.be.false;
+    });
+  });
+});
diff --git a/packages/mongodb-redact/src/should-redact-command.ts b/packages/mongodb-redact/src/should-redact-command.ts
@@ -0,0 +1,27 @@
+/**
+ * Regex pattern for commands that contain sensitive information and should be
+ * completely removed from history rather than redacted.
+ *
+ * These commands typically involve authentication or connection strings with credentials.
+ */
+const HIDDEN_COMMANDS = String.raw`\b(createUser|auth|updateUser|changeUserPassword|connect|Mongo)\b`;
+
+/**
+ * Checks if a mongosh command should be redacted because it often contains sensitive information like credentials.
+ *
+ * @param input - The command string to check
+ * @returns true if the command should be hidden/redacted, false otherwise
+ *
+ * @example
+ * ```typescript
+ * shouldRedactCommand('db.createUser({user: "admin", pwd: "secret"})')
+ * // Returns: true
+ *
+ * shouldRedactCommand('db.getUsers()')
+ * // Returns: false
+ * ```
+ */
+export function shouldRedactCommand(input: string): boolean {
+  const hiddenCommands = new RegExp(HIDDEN_COMMANDS, 'g');
+  return hiddenCommands.test(input);
+}

Original file line number	Diff line number	Diff line change
`@@ -46,5 +46,7 @@ export function redact<T>(`
`46`	`46`	`return message;`
`47`	`47`	`}`
`48`	`48`
	`49`	`+export { shouldRedactCommand } from './should-redact-command';`
	`50`	`+`
`49`	`51`	`export default redact;`
`50`	`52`	`export type { Secret } from './secrets';`