update passwords

blva · blva · commit db75e4f171df · 2025-09-11T09:18:25.000+01:00
diff --git a/src/tools/args.ts b/src/tools/args.ts
@@ -45,4 +45,11 @@ export const AtlasArgs = {
             .min(1, "Region is required")
             .max(50, "Region must be 50 characters or less")
             .regex(/^[a-zA-Z0-9_-]+$/, "Region can only contain letters, numbers, hyphens, and underscores"),
+
+    password: (): z.ZodString =>
+        CommonArgs.string()
+            .min(1, "Password is required")
+            .max(100, "Password must be 100 characters or less")
+            .regex(/^[^/]*$/, "String cannot contain '/'")
+            .regex(/^[a-zA-Z0-9._-]+$/, "Password can only contain letters, numbers, dots, hyphens, and underscores"),
 };
diff --git a/src/tools/atlas/create/createDBUser.ts b/src/tools/atlas/create/createDBUser.ts
@@ -13,8 +13,7 @@ export const CreateDBUserArgs = {
     // Models will generate overly simplistic passwords like SecurePassword123 or
     // AtlasPassword123, which are easily guessable and exploitable. We're instructing
     // the model not to try and generate anything and instead leave the field unset.
-    password: z
-        .string()
+    password: AtlasArgs.password()
         .optional()
         .nullable()
         .describe(
diff --git a/tests/unit/args.test.ts b/tests/unit/args.test.ts
@@ -309,6 +309,26 @@ describe("Tool args", () => {
                 );
             });
         });
+
+        describe("password", () => {
+            it("should validate valid passwords", () => {
+                const schema = AtlasArgs.password().optional();
+                const validPasswords = ["password123", "password_123", "Password123", "test-password-123"];
+                validPasswords.forEach((password) => {
+                    expect(schema.parse(password)).toBe(password);
+                });
+                expect(schema.parse(undefined)).toBeUndefined();
+            });
+
+            it("should reject invalid passwords", () => {
+                const schema = AtlasArgs.password();
+                expect(() => schema.parse("")).toThrow("Password is required");
+                expect(() => schema.parse("a".repeat(101))).toThrow("Password must be 100 characters or less");
+                expect(() => schema.parse("invalid password")).toThrow(
+                    "Password can only contain letters, numbers, dots, hyphens, and underscores"
+                );
+            });
+        });
     });
 
     describe("Edge Cases and Security", () => {
