fix(logging): handle credential redaction in some cases with special characters MONGOSH-2991 (#2581)

Author: gagik

package-lock.json

@@ -87,30 +87,31 @@
     "js-yaml": "^4.1.0",
     "mongodb-connection-string-url": "^3.0.2",
     "mongodb-log-writer": "^2.4.3",
+    "mongodb-redact": "^1.3.0",
     "numeral": "^2.0.6",
     "pretty-repl": "^4.0.1",
     "semver": "^7.5.4",
     "strip-ansi": "^6.0.0",
     "text-table": "^0.2.0",
-    "yargs-parser": "^20.2.4",
-    "glibc-version": "^1.0.0"
+    "glibc-version": "^1.0.0",
+    "yargs-parser": "^20.2.4"
   },
   "devDependencies": {
-    "mongodb": "^6.19.0",
     "@mongodb-js/eslint-config-mongosh": "^1.0.0",
     "@mongodb-js/prettier-config-devtools": "^1.0.1",
     "@mongodb-js/sbom-tools": "^0.8.1",
     "@mongodb-js/tsconfig-mongosh": "^1.0.0",
     "@types/ansi-escape-sequences": "^4.0.0",
+    "@types/chai-as-promised": "^7.1.3",
     "@types/js-yaml": "^4.0.5",
     "@types/node": "^22.15.30",
     "@types/numeral": "^2.0.2",
     "@types/text-table": "^0.2.1",
     "@types/yargs-parser": "^15.0.0",
-    "@types/chai-as-promised": "^7.1.3",
     "chai-as-promised": "^7.1.1",
     "depcheck": "^1.4.7",
     "eslint": "^7.25.0",
+    "mongodb": "^6.19.0",
     "mongodb-crypt-library-dummy": "^1.0.2",
     "prettier": "^2.8.8",
     "webpack-merge": "^5.8.0"

packages/cli-repl/package.json

@@ -3,15 +3,14 @@ import {
   MongoshRuntimeError,
   MongoshWarning,
 } from '@mongosh/errors';
-import { redactURICredentials } from '@mongosh/history';
+import { redactConnectionString, redact } from 'mongodb-redact';
 import i18n from '@mongosh/i18n';
 import type { AutoEncryptionOptions } from '@mongosh/service-provider-core';
 import { EJSON, ObjectId } from 'bson';
 import { NodeDriverServiceProvider } from '@mongosh/service-provider-node-driver';
 import type { CliOptions, DevtoolsConnectOptions } from '@mongosh/arg-parser';
 import { SnippetManager } from '@mongosh/snippet-manager';
 import { Editor } from '@mongosh/editor';
-import { redactSensitiveData } from '@mongosh/history';
 import type { Analytics as SegmentAnalytics } from '@segment/analytics-node';
 import askpassword from 'askpassword';
 import { EventEmitter, once } from 'events';
@@ -306,7 +305,7 @@ export class CliRepl implements MongoshIOProvider {
       'Starting log',
       {
         execPath: process.execPath,
-        envInfo: redactSensitiveData(this.getLoggedEnvironmentVariables()),
+        envInfo: redact(this.getLoggedEnvironmentVariables()),
         ...(await buildInfo()),
       }
     );
@@ -905,7 +904,7 @@ export class CliRepl implements MongoshIOProvider {
       this.output.write(
         i18n.__(CONNECTING) +
           '\t\t' +
-          this.clr(redactURICredentials(driverUri), 'mongosh:uri') +
+          this.clr(redactConnectionString(driverUri), 'mongosh:uri') +
           '\n'
       );
     }

packages/cli-repl/src/cli-repl.ts

@@ -23,7 +23,7 @@ import { getStoragePaths, getGlobalConfigPaths } from './config-directory';
 import { getCryptLibraryPaths } from './crypt-library-paths';
 import { getTlsCertificateSelector } from './tls-certificate-selector';
 import { applyPacProxyS390XPatch } from './pac-proxy-s390x-patch';
-import { redactURICredentials } from '@mongosh/history';
+import { redactConnectionString } from 'mongodb-redact';
 import { generateConnectionInfoFromCliArgs } from '@mongosh/arg-parser';
 import askcharacter from 'askcharacter';
 import { PassThrough } from 'stream';
@@ -218,7 +218,7 @@ async function main() {
       driverInfo: { name: 'mongosh', version },
     };
 
-    const title = `mongosh ${redactURICredentials(
+    const title = `mongosh ${redactConnectionString(
       connectionInfo.connectionString
     )}`;
     process.title = title;

packages/cli-repl/src/run.ts

@@ -1,7 +1,7 @@
 import assert from 'assert';
 import { promises as fs } from 'fs';
 import { once } from 'events';
-import { redactURICredentials } from '@mongosh/history';
+import { redactConnectionString } from 'mongodb-redact';
 import fleSmokeTestScript from './smoke-tests-fle';
 import { baseBuildInfo, buildInfo } from './build-info';
 import escapeRegexp from 'escape-string-regexp';
@@ -469,7 +469,7 @@ async function runSmokeTest({
     stderr: includeStderr ? stderr : '',
     executable,
     actualExitCode,
-    args: args.map((arg) => redactURICredentials(arg)),
+    args: args.map((arg) => redactConnectionString(arg)),
   };
   try {
     assert.match(includeStderr ? `${stdout}\n${stderr}` : stdout, output);

packages/cli-repl/src/smoke-tests.ts

@@ -35,16 +35,14 @@
     "unitTestsOnly": true
   },
   "dependencies": {
-    "mongodb-connection-string-url": "^3.0.2",
-    "mongodb-redact": "^1.1.5"
+    "mongodb-redact": "^1.3.0"
   },
   "devDependencies": {
     "@mongodb-js/eslint-config-mongosh": "^1.0.0",
     "@mongodb-js/prettier-config-devtools": "^1.0.1",
     "@mongodb-js/tsconfig-mongosh": "^1.0.0",
     "depcheck": "^1.4.7",
     "eslint": "^7.25.0",
-    "mongodb-connection-string-url": "^3.0.2",
     "prettier": "^2.8.8"
   }
 }

packages/history/package.json

@@ -1,6 +1,4 @@
-import redactSensitiveData from 'mongodb-redact';
-
-export const HIDDEN_COMMANDS = String.raw`\b(createUser|auth|updateUser|changeUserPassword|connect|Mongo)\b`;
+import { shouldRedactCommand, redact } from 'mongodb-redact';
 
 /**
  * Modifies the most recent command in history based on sensitive information.
@@ -11,16 +9,13 @@ export const HIDDEN_COMMANDS = String.raw`\b(createUser|auth|updateUser|changeUs
  */
 export function changeHistory(
   history: string[],
-  redact: 'redact-sensitive-data' | 'keep-sensitive-data'
+  redactMode: 'redact-sensitive-data' | 'keep-sensitive-data'
 ): void {
   if (history.length === 0) return;
-  const hiddenCommands = new RegExp(HIDDEN_COMMANDS, 'g');
 
-  if (hiddenCommands.test(history[0])) {
+  if (shouldRedactCommand(history[0])) {
     history.shift();
-  } else if (redact === 'redact-sensitive-data') {
-    history[0] = redactSensitiveData(history[0]);
+  } else if (redactMode === 'redact-sensitive-data') {
+    history[0] = redact(history[0]);
   }
 }
-
-export { redactSensitiveData };

packages/history/src/history.ts

@@ -1,2 +1 @@
-export { changeHistory, redactSensitiveData, HIDDEN_COMMANDS } from './history';
-export { redactConnectionString as redactURICredentials } from 'mongodb-connection-string-url';
+export { changeHistory } from './history';

packages/history/src/index.ts

@@ -20,10 +20,9 @@
     "@mongodb-js/device-id": "^0.2.1",
     "@mongodb-js/devtools-connect": "^3.9.4",
     "@mongosh/errors": "2.4.4",
-    "@mongosh/history": "2.4.9",
     "@mongosh/types": "^3.14.0",
     "mongodb-log-writer": "^2.4.3",
-    "mongodb-redact": "^1.1.5",
+    "mongodb-redact": "^1.3.0",
     "native-machine-id": "^0.1.1"
   },
   "devDependencies": {

packages/logging/package.json

@@ -1132,6 +1132,54 @@ describe('MongoshLoggingAndTelemetry', function () {
     expect(analyticsOutput).to.be.empty;
   });
 
+  it('redacts logging of sensitive commands', async function () {
+    loggingAndTelemetry.attachLogger(logger);
+    await (loggingAndTelemetry as LoggingAndTelemetry).setupTelemetryPromise;
+
+    expect(logOutput).to.have.lengthOf(0);
+
+    // Test that sensitive commands are redacted
+    bus.emit('mongosh:evaluate-input', {
+      input: 'db.createUser({user: "admin", pwd: "password", roles: []})',
+    });
+    bus.emit('mongosh:evaluate-input', { input: 'db.auth("user", "pass")' });
+    bus.emit('mongosh:evaluate-input', {
+      input: 'db.updateUser("user", {pwd: "newpass"})',
+    });
+    bus.emit('mongosh:evaluate-input', {
+      input: 'db.changeUserPassword("user", "newpass")',
+    });
+    bus.emit('mongosh:evaluate-input', {
+      input: 'connect("mongodb://user:pass@localhost/")',
+    });
+    bus.emit('mongosh:evaluate-input', {
+      input: 'new Mongo("mongodb://user:pass@localhost/")',
+    });
+
+    // Test that non-sensitive commands are still logged
+    bus.emit('mongosh:evaluate-input', { input: 'db.getUsers()' });
+    bus.emit('mongosh:evaluate-input', { input: 'show dbs' });
+
+    // Should only have logged the non-sensitive commands
+    expect(logOutput).to.have.lengthOf(8);
+    expect(logOutput[0].msg).to.equal('Evaluating input');
+    expect(logOutput[0].attr.input).to.equal('<sensitive command used>');
+    expect(logOutput[1].msg).to.equal('Evaluating input');
+    expect(logOutput[1].attr.input).to.equal('<sensitive command used>');
+    expect(logOutput[2].msg).to.equal('Evaluating input');
+    expect(logOutput[2].attr.input).to.equal('<sensitive command used>');
+    expect(logOutput[3].msg).to.equal('Evaluating input');
+    expect(logOutput[3].attr.input).to.equal('<sensitive command used>');
+    expect(logOutput[4].msg).to.equal('Evaluating input');
+    expect(logOutput[4].attr.input).to.equal('<sensitive command used>');
+    expect(logOutput[5].msg).to.equal('Evaluating input');
+    expect(logOutput[5].attr.input).to.equal('<sensitive command used>');
+    expect(logOutput[6].msg).to.equal('Evaluating input');
+    expect(logOutput[6].attr.input).to.equal('db.getUsers()');
+    expect(logOutput[7].msg).to.equal('Evaluating input');
+    expect(logOutput[7].attr.input).to.equal('show dbs');
+  });
+
   it('tracks custom logging events', async function () {
     expect(logOutput).to.have.lengthOf(0);
     expect(analyticsOutput).to.be.empty;