CSHARP-2749: Driver should hide credentials in exception message.

DmitryLukyanov · rstam · commit bff931c1cca8 · 2019-10-16T10:39:40.000-04:00
diff --git a/src/MongoDB.Driver.Core/Core/Configuration/ConnectionString.cs b/src/MongoDB.Driver.Core/Core/Configuration/ConnectionString.cs
@@ -776,16 +776,17 @@ private void Parse()
                 var invalidPercentPattern = @"%$|%.$|%[^0-9a-fA-F]|%[0-9a-fA-F][^0-9a-fA-F]";
                 if (Regex.IsMatch(_originalConnectionString, invalidPercentPattern))
                 {
-                    var message = string.Format("The connection string '{0}' contains an invalid '%' escape sequence.",
-                        _originalConnectionString);
+                    var protectedConnectionString = protectConnectionString(_originalConnectionString);
+                    var message = $"The connection string '{protectedConnectionString}' contains an invalid '%' escape sequence.";
                     throw new MongoConfigurationException(message);
                 }
             }
 
             var match = Regex.Match(_originalConnectionString, pattern);
             if (!match.Success)
             {
-                var message = string.Format("The connection string '{0}' is not valid.", _originalConnectionString);
+                var protectedConnectionString = protectConnectionString(_originalConnectionString);
+                var message = $"The connection string '{protectedConnectionString}' is not valid.";
                 throw new MongoConfigurationException(message);
             }
 
@@ -799,6 +800,12 @@ private void Parse()
             {
                 throw new MongoConfigurationException("This is an invalid w and journal pair.");
             }
+
+            string protectConnectionString(string connectionString)
+            {
+                var protectedString = Regex.Replace(connectionString, @"(?<=://)[^/]*(?=@)", "<hidden>");
+                return protectedString;
+            }
         }
 
         private void ParseOption(string name, string value)
diff --git a/tests/MongoDB.Driver.Core.Tests/Core/Configuration/ConnectionStringTests.cs b/tests/MongoDB.Driver.Core.Tests/Core/Configuration/ConnectionStringTests.cs
@@ -462,6 +462,20 @@ public void When_compressor_is_specified_with_unsupported_value_the_value_should
             subject.Compressors.Should().BeEmpty();
         }
 
+        [Theory]
+        [InlineData("mongodb://nam!@#$%^&*())e:password@localhost", "mongodb://<hidden>@localhost")]
+        [InlineData("://nam!@#$%^&*())e:password@loc", "://<hidden>@loc")]
+        [InlineData("://nam!@#$%^&*())e@loc", "://<hidden>@loc")]
+        [InlineData("mongodb://nameloc@", "mongodb://<hidden>@")]
+        [InlineData("mongodb+srv://nameloc@", "mongodb+srv://<hidden>@")]
+        [InlineData("ongodb://username:password@localhost/?replicaSet=@x", "ongodb://<hidden>@localhost/?replicaSet=@x")]
+        public void When_connectionstring_invalid_security_data_should_be_protected(string connectionString, string protectedConnectionString)
+        {
+            var exception = Record.Exception(() => new ConnectionString(connectionString));
+            var e = exception.Should().BeOfType<MongoConfigurationException>().Subject;
+            e.Message.Should().StartWith($"The connection string '{protectedConnectionString}'");
+        }
+
         [Theory]
         [InlineData("mongodb://localhost?connect=automatic", ClusterConnectionMode.Automatic)]
         [InlineData("mongodb://localhost?connect=direct", ClusterConnectionMode.Direct)]

Original file line number	Diff line number	Diff line change
`@@ -776,16 +776,17 @@ private void Parse()`
`776`	`776`	`var invalidPercentPattern = @"%$\|%.$\|%[^0-9a-fA-F]\|%[0-9a-fA-F][^0-9a-fA-F]";`
`777`	`777`	`if (Regex.IsMatch(_originalConnectionString, invalidPercentPattern))`
`778`	`778`	`{`
`779`		`- var message = string.Format("The connection string '{0}' contains an invalid '%' escape sequence.",`
`780`		`- _originalConnectionString);`
	`779`	`+ var protectedConnectionString = protectConnectionString(_originalConnectionString);`
	`780`	`+ var message = $"The connection string '{protectedConnectionString}' contains an invalid '%' escape sequence.";`
`781`	`781`	`throw new MongoConfigurationException(message);`
`782`	`782`	`}`
`783`	`783`	`}`
`784`	`784`
`785`	`785`	`var match = Regex.Match(_originalConnectionString, pattern);`
`786`	`786`	`if (!match.Success)`
`787`	`787`	`{`
`788`		`- var message = string.Format("The connection string '{0}' is not valid.", _originalConnectionString);`
	`788`	`+ var protectedConnectionString = protectConnectionString(_originalConnectionString);`
	`789`	`+ var message = $"The connection string '{protectedConnectionString}' is not valid.";`
`789`	`790`	`throw new MongoConfigurationException(message);`
`790`	`791`	`}`
`791`	`792`
`@@ -799,6 +800,12 @@ private void Parse()`
`799`	`800`	`{`
`800`	`801`	`throw new MongoConfigurationException("This is an invalid w and journal pair.");`
`801`	`802`	`}`
	`803`	`+`
	`804`	`+ string protectConnectionString(string connectionString)`
	`805`	`+ {`
	`806`	`+ var protectedString = Regex.Replace(connectionString, @"(?<=://)[^/]*(?=@)", "<hidden>");`
	`807`	`+ return protectedString;`
	`808`	`+ }`
`802`	`809`	`}`
`803`	`810`
`804`	`811`	`private void ParseOption(string name, string value)`