chore(mongodb-redact): redact special character cases for password MONGOSH-2991

gagik · gagik · commit e909b9bc0893 · 2025-11-17T13:15:43.000+01:00
diff --git a/packages/mongodb-redact/src/secrets.spec.ts b/packages/mongodb-redact/src/secrets.spec.ts
@@ -93,4 +93,57 @@ describe('dictionary-based secret redaction', function () {
       usr: '<user>',
     });
   });
+
+  describe('special characters in passwords', function () {
+    it('redacts passwords at start, end, or entire string', function () {
+      expect(
+        redact('!start is pwd', [{ value: '!start', kind: 'password' }]),
+      ).to.equal('<password> is pwd');
+
+      expect(
+        redact('pwd is end!', [{ value: 'end!', kind: 'password' }]),
+      ).to.equal('pwd is <password>');
+
+      expect(
+        redact('The password is !@#$%', [{ value: '!@#$%', kind: 'password' }]),
+      ).to.equal('The password is <password>');
+    });
+
+    it('redacts a special-character only connection string', function () {
+      const secret = '!#!!';
+      const content = 'Connection string: mongodb://user:!#!!@localhost:27017/';
+
+      const redacted = redact(content, [{ value: secret, kind: 'password' }]);
+
+      expect(redacted).to.equal(
+        'Connection string: <mongodb uri><password>@localhost:27017/',
+      );
+    });
+
+    for (const { char, password } of [
+      { char: '.', password: 'test.pass' },
+      { char: '*', password: 'test*pass' },
+      { char: '+', password: 'test+pass' },
+      { char: '?', password: 'test?pass' },
+      { char: '[', password: 'test[123]' },
+      { char: '(', password: 'test(abc)' },
+      { char: '|', password: 'test|pass' },
+      { char: '\\', password: 'test\\pass' },
+      { char: '^', password: '^test123' },
+      { char: '$', password: 'test$123' },
+      { char: '@', password: 'user@123' },
+      { char: '#', password: 'pass#word' },
+      { char: '%', password: 'test%20' },
+      { char: '&', password: 'rock&roll' },
+      { char: 'լավ', password: 'լավ' },
+    ]) {
+      it(`redacts passwords with ${char}`, function () {
+        const content = `pwd: ${password} end`;
+        const redacted = redact(content, [
+          { value: password, kind: 'password' },
+        ]);
+        expect(redacted).to.equal('pwd: <password> end');
+      });
+    }
+  });
 });
diff --git a/packages/mongodb-redact/src/secrets.ts b/packages/mongodb-redact/src/secrets.ts
@@ -32,7 +32,10 @@ export function redactSecretsOnString<T extends string>(
       );
     }
 
-    const regex = new RegExp(`\\b${escape(value)}\\b`, 'g');
+    // Escape the value for use in regex and use negative lookahead/lookbehind
+    // to match secrets not surrounded by word characters
+    const escapedValue = escape(value);
+    const regex = new RegExp(`(?<!\\w)${escapedValue}(?!\\w)`, 'g');
     result = result.replace(regex, `<${kind}>`) as T;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,10 @@ export function redactSecretsOnString<T extends string>(`
`32`	`32`	`);`
`33`	`33`	`}`
`34`	`34`
`35`		- const regex = new RegExp(`\\b${escape(value)}\\b`, 'g');
	`35`	`+ // Escape the value for use in regex and use negative lookahead/lookbehind`
	`36`	`+ // to match secrets not surrounded by word characters`
	`37`	`+ const escapedValue = escape(value);`
	`38`	+ const regex = new RegExp(`(?<!\\w)${escapedValue}(?!\\w)`, 'g');
`36`	`39`	result = result.replace(regex, `<${kind}>`) as T;
`37`	`40`	`}`
`38`	`41`