Hide mechanism properties in MongoCredential#toString

jyemin · jyemin · commit c25c44a715e9 · 2019-08-09T11:45:13.000-04:00
In some cases a mechanism property value can contain sensitive information, so the toString method should be conservative and not include any of them. JAVA-3381
diff --git a/driver-core/src/main/com/mongodb/MongoCredential.java b/driver-core/src/main/com/mongodb/MongoCredential.java
@@ -514,7 +514,7 @@ public String toString() {
                 + ", userName='" + userName + '\''
                 + ", source='" + source + '\''
                 + ", password=<hidden>"
-                + ", mechanismProperties=" + mechanismProperties
+                + ", mechanismProperties=<hidden>"
                 + '}';
     }
 }
diff --git a/driver-core/src/test/unit/com/mongodb/MongoCredentialSpecification.groovy b/driver-core/src/test/unit/com/mongodb/MongoCredentialSpecification.groovy
@@ -296,6 +296,11 @@ class MongoCredentialSpecification extends Specification {
         credentialOne.hashCode() != credentialTwo.hashCode()
 
         !credentialOne.toString().contains(password)
+        credentialOne.toString().contains('password=<hidden>')
+
+        !credentialTwo.toString().contains(propertyKey.toLowerCase())
+        !credentialTwo.toString().contains(propertyValue)
+        credentialTwo.toString().contains('mechanismProperties=<hidden>')
     }
 
     def 'testEqualsAndHashCode'() {

Original file line number	Diff line number	Diff line change
`@@ -514,7 +514,7 @@ public String toString() {`
`514`	`514`	`+ ", userName='" + userName + '\''`
`515`	`515`	`+ ", source='" + source + '\''`
`516`	`516`	`+ ", password=<hidden>"`
`517`		`- + ", mechanismProperties=" + mechanismProperties`
	`517`	`+ + ", mechanismProperties=<hidden>"`
`518`	`518`	`+ '}';`
`519`	`519`	`}`
`520`	`520`	`}`