GODRIVER-449 Correctly unescape usernames and passwords in connection strings. (#1014)

matthewdale · web-flow · commit b659a83d30de · 2022-07-06T12:26:09.000-07:00
diff --git a/data/connection-string/valid-auth.json b/data/connection-string/valid-auth.json
@@ -240,6 +240,27 @@
         "authmechanism": "MONGODB-CR"
       }
     },
+    {
+      "description": "Subdelimiters in user/pass don't need escaping (MONGODB-CR)",
+      "uri": "mongodb://!$&'()*+,;=:!$&'()*+,;=@127.0.0.1/admin?authMechanism=MONGODB-CR",
+      "valid": true,
+      "warning": false,
+      "hosts": [
+        {
+          "type": "ipv4",
+          "host": "127.0.0.1",
+          "port": null
+        }
+      ],
+      "auth": {
+        "username": "!$&'()*+,;=",
+        "password": "!$&'()*+,;=",
+        "db": "admin"
+      },
+      "options": {
+        "authmechanism": "MONGODB-CR"
+      }
+    },
     {
       "description": "Escaped username (MONGODB-X509)",
       "uri": "mongodb://CN%3DmyName%2COU%3DmyOrgUnit%2CO%3DmyOrg%2CL%3DmyLocality%2CST%3DmyState%2CC%3DmyCountry@localhost/?authMechanism=MONGODB-X509",
diff --git a/data/connection-string/valid-auth.yml b/data/connection-string/valid-auth.yml
@@ -188,6 +188,22 @@ tests:
             db: "admin?"
         options:
             authmechanism: "MONGODB-CR"
+    -
+        description: "Subdelimiters in user/pass don't need escaping (MONGODB-CR)"
+        uri: "mongodb://!$&'()*+,;=:!$&'()*+,;=@127.0.0.1/admin?authMechanism=MONGODB-CR"
+        valid: true
+        warning: false
+        hosts:
+            -
+                type: "ipv4"
+                host: "127.0.0.1"
+                port: ~
+        auth:
+            username: "!$&'()*+,;="
+            password: "!$&'()*+,;="
+            db: "admin"
+        options:
+            authmechanism: "MONGODB-CR"
     -
         description: "Escaped username (MONGODB-X509)"
         uri: "mongodb://CN%3DmyName%2COU%3DmyOrgUnit%2CO%3DmyOrg%2CL%3DmyLocality%2CST%3DmyState%2CC%3DmyCountry@localhost/?authMechanism=MONGODB-X509"
diff --git a/x/mongo/driver/connstring/connstring.go b/x/mongo/driver/connstring/connstring.go
@@ -233,7 +233,7 @@ func (p *parser) parse(original string) error {
 		if strings.Contains(username, "/") {
 			return fmt.Errorf("unescaped slash in username")
 		}
-		p.Username, err = url.QueryUnescape(username)
+		p.Username, err = url.PathUnescape(username)
 		if err != nil {
 			return internal.WrapErrorf(err, "invalid username")
 		}
@@ -246,7 +246,7 @@ func (p *parser) parse(original string) error {
 		if strings.Contains(password, "/") {
 			return fmt.Errorf("unescaped slash in password")
 		}
-		p.Password, err = url.QueryUnescape(password)
+		p.Password, err = url.PathUnescape(password)
 		if err != nil {
 			return internal.WrapErrorf(err, "invalid password")
 		}

Original file line number	Diff line number	Diff line change
`@@ -233,7 +233,7 @@ func (p *parser) parse(original string) error {`
`233`	`233`	`if strings.Contains(username, "/") {`
`234`	`234`	`return fmt.Errorf("unescaped slash in username")`
`235`	`235`	`}`
`236`		`- p.Username, err = url.QueryUnescape(username)`
	`236`	`+ p.Username, err = url.PathUnescape(username)`
`237`	`237`	`if err != nil {`
`238`	`238`	`return internal.WrapErrorf(err, "invalid username")`
`239`	`239`	`}`
`@@ -246,7 +246,7 @@ func (p *parser) parse(original string) error {`
`246`	`246`	`if strings.Contains(password, "/") {`
`247`	`247`	`return fmt.Errorf("unescaped slash in password")`
`248`	`248`	`}`
`249`		`- p.Password, err = url.QueryUnescape(password)`
	`249`	`+ p.Password, err = url.PathUnescape(password)`
`250`	`250`	`if err != nil {`
`251`	`251`	`return internal.WrapErrorf(err, "invalid password")`
`252`	`252`	`}`