CSHARP-2749: Driver should hide credentials in exception message.

DmitryLukyanov · DmitryLukyanov · commit 10b6d102f2c5 · 2019-10-14T23:42:42.000+03:00
diff --git a/src/MongoDB.Driver.Core/Core/Configuration/ConnectionString.cs b/src/MongoDB.Driver.Core/Core/Configuration/ConnectionString.cs
@@ -778,16 +778,17 @@ private void Parse()
                 var invalidPercentPattern = @"%$|%.$|%[^0-9a-fA-F]|%[0-9a-fA-F][^0-9a-fA-F]";
                 if (Regex.IsMatch(_originalConnectionString, invalidPercentPattern))
                 {
-                    var message = string.Format("The connection string '{0}' contains an invalid '%' escape sequence.",
-                        _originalConnectionString);
+                    var protectedConnectionString = protectConnectionString(_originalConnectionString);
+                    var message = $"The connection string '{protectedConnectionString}' contains an invalid '%' escape sequence.";
                     throw new MongoConfigurationException(message);
                 }
             }
 
             var match = Regex.Match(_originalConnectionString, pattern);
             if (!match.Success)
             {
-                var message = string.Format("The connection string '{0}' is not valid.", _originalConnectionString);
+                var protectedConnectionString = protectConnectionString(_originalConnectionString);
+                var message = $"The connection string '{protectedConnectionString}' is not valid.";
                 throw new MongoConfigurationException(message);
             }
 
@@ -801,6 +802,12 @@ private void Parse()
             {
                 throw new MongoConfigurationException("This is an invalid w and journal pair.");
             }
+
+            string protectConnectionString(string connectionString)
+            {
+                var protectedString = Regex.Replace(connectionString, @"(?<=://)[^/]*(?=@)", "<hidden>");
+                return protectedString;
+            }
         }
 
         private void ParseOption(string name, string value)
diff --git a/tests/MongoDB.Driver.Core.Tests/Core/Configuration/ConnectionStringTests.cs b/tests/MongoDB.Driver.Core.Tests/Core/Configuration/ConnectionStringTests.cs
@@ -466,6 +466,20 @@ public void When_compressor_is_specified_with_unsupported_value_the_value_should
             subject.Compressors.Should().BeEmpty();
         }
 
+        [Theory]
+        [InlineData("mongodb://nam!@#$%^&*())e:password@localhost", "mongodb://<hidden>@localhost")]
+        [InlineData("://nam!@#$%^&*())e:password@loc", "://<hidden>@loc")]
+        [InlineData("://nam!@#$%^&*())e@loc", "://<hidden>@loc")]
+        [InlineData("mongodb://nameloc@", "mongodb://<hidden>@")]
+        [InlineData("mongodb+srv://nameloc@", "mongodb+srv://<hidden>@")]
+        [InlineData("ongodb://username:password@localhost/?replicaSet=@x", "ongodb://<hidden>@localhost/?replicaSet=@x")]
+        public void When_connectionstring_invalid_security_data_should_be_protected(string connectionString, string protectedConnectionString)
+        {
+            var exception = Record.Exception(() => new ConnectionString(connectionString));
+            var e = exception.Should().BeOfType<MongoConfigurationException>().Subject;
+            e.Message.Should().StartWith($"The connection string '{protectedConnectionString}'");
+        }
+
         [Theory]
         [InlineData("mongodb://localhost?connect=automatic", ClusterConnectionMode.Automatic)]
         [InlineData("mongodb://localhost?connect=direct", ClusterConnectionMode.Direct)]

Original file line number	Diff line number	Diff line change
`@@ -778,16 +778,17 @@ private void Parse()`
`778`	`778`	`var invalidPercentPattern = @"%$\|%.$\|%[^0-9a-fA-F]\|%[0-9a-fA-F][^0-9a-fA-F]";`
`779`	`779`	`if (Regex.IsMatch(_originalConnectionString, invalidPercentPattern))`
`780`	`780`	`{`
`781`		`- var message = string.Format("The connection string '{0}' contains an invalid '%' escape sequence.",`
`782`		`- _originalConnectionString);`
	`781`	`+ var protectedConnectionString = protectConnectionString(_originalConnectionString);`
	`782`	`+ var message = $"The connection string '{protectedConnectionString}' contains an invalid '%' escape sequence.";`
`783`	`783`	`throw new MongoConfigurationException(message);`
`784`	`784`	`}`
`785`	`785`	`}`
`786`	`786`
`787`	`787`	`var match = Regex.Match(_originalConnectionString, pattern);`
`788`	`788`	`if (!match.Success)`
`789`	`789`	`{`
`790`		`- var message = string.Format("The connection string '{0}' is not valid.", _originalConnectionString);`
	`790`	`+ var protectedConnectionString = protectConnectionString(_originalConnectionString);`
	`791`	`+ var message = $"The connection string '{protectedConnectionString}' is not valid.";`
`791`	`792`	`throw new MongoConfigurationException(message);`
`792`	`793`	`}`
`793`	`794`
`@@ -801,6 +802,12 @@ private void Parse()`
`801`	`802`	`{`
`802`	`803`	`throw new MongoConfigurationException("This is an invalid w and journal pair.");`
`803`	`804`	`}`
	`805`	`+`
	`806`	`+ string protectConnectionString(string connectionString)`
	`807`	`+ {`
	`808`	`+ var protectedString = Regex.Replace(connectionString, @"(?<=://)[^/]*(?=@)", "<hidden>");`
	`809`	`+ return protectedString;`
	`810`	`+ }`
`804`	`811`	`}`
`805`	`812`
`806`	`813`	`private void ParseOption(string name, string value)`