PYTHON-4463 Disallow comma character in authMechanismProperties connection string value (#1646)

blink1073 · web-flow · commit e9c86f4c00d7 · 2024-06-05T14:39:00.000-05:00
diff --git a/pymongo/common.py b/pymongo/common.py
@@ -454,8 +454,11 @@ def validate_auth_mechanism_properties(option: str, value: Any) -> dict[str, Uni
         return props
 
     value = validate_string(option, value)
+    value = unquote_plus(value)
     for opt in value.split(","):
         key, _, val = opt.partition(":")
+        if not val:
+            raise ValueError("Malformed auth mechanism properties")
         if key not in _MECHANISM_PROPS:
             # Try not to leak the token.
             if "AWS_SESSION_TOKEN" in key:
@@ -473,7 +476,7 @@ def validate_auth_mechanism_properties(option: str, value: Any) -> dict[str, Uni
         if key == "CANONICALIZE_HOST_NAME":
             props[key] = validate_boolean_or_string(key, val)
         else:
-            props[key] = unquote_plus(val)
+            props[key] = val
 
     return props
 
diff --git a/pymongo/uri_parser.py b/pymongo/uri_parser.py
@@ -494,16 +494,11 @@ def parse_uri(
     collection = None
     options = _CaseInsensitiveDictionary()
 
-    host_part, _, path_part = scheme_free.partition("/")
-    if not host_part:
-        host_part = path_part
-        path_part = ""
-
-    if path_part:
-        dbase, _, opts = path_part.partition("?")
+    host_plus_db_part, _, opts = scheme_free.partition("?")
+    if "/" in host_plus_db_part:
+        host_part, _, dbase = host_plus_db_part.partition("/")
     else:
-        # There was no slash in scheme_free, check for a sole "?".
-        host_part, _, opts = host_part.partition("?")
+        host_part = host_plus_db_part
 
     if dbase:
         dbase = unquote_plus(dbase)
diff --git a/test/auth/legacy/connection-string.json b/test/auth/legacy/connection-string.json
@@ -559,7 +559,7 @@
     },
     {
       "description": "should handle a complicated url-encoded TOKEN_RESOURCE (MONGODB-OIDC)",
-      "uri": "mongodb://user@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:abc%2Cd%25ef%3Ag%26hi",
+      "uri": "mongodb://user@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:abcd%25ef%3Ag%26hi",
       "valid": true,
       "credential": {
         "username": "user",
@@ -568,7 +568,7 @@
         "mechanism": "MONGODB-OIDC",
         "mechanism_properties": {
           "ENVIRONMENT": "azure",
-          "TOKEN_RESOURCE": "abc,d%ef:g&hi"
+          "TOKEN_RESOURCE": "abcd%ef:g&hi"
         }
       }
     },
diff --git a/test/connection_string/test/valid-options.json b/test/connection_string/test/valid-options.json
@@ -37,6 +37,25 @@
       "options": {
         "tls": true
       }
+    },
+    {
+      "description": "Colon in a key value pair",
+      "uri": "mongodb://example.com?authMechanismProperties=TOKEN_RESOURCE:mongodb://test-cluster",
+      "valid": true,
+      "warning": false,
+      "hosts": [
+        {
+          "type": "hostname",
+          "host": "example.com",
+          "port": null
+        }
+      ],
+      "auth": null,
+      "options": {
+        "authmechanismProperties": {
+          "TOKEN_RESOURCE": "mongodb://test-cluster"
+        }
+      }
     }
   ]
 }
diff --git a/test/connection_string/test/valid-warnings.json b/test/connection_string/test/valid-warnings.json
@@ -93,6 +93,21 @@
       ],
       "auth": null,
       "options": null
+    },
+    {
+      "description": "Comma in a key value pair causes a warning",
+      "uri": "mongodb://example.com?authMechanismProperties=TOKEN_RESOURCE:mongodb://host1%2Chost2",
+      "valid": true,
+      "warning": true,
+      "hosts": [
+        {
+          "type": "hostname",
+          "host": "example.com",
+          "port": null
+        }
+      ],
+      "auth": null,
+      "options": null
     }
   ]
 }
diff --git a/test/test_uri_parser.py b/test/test_uri_parser.py
@@ -474,9 +474,9 @@ def test_normalize_options(self):
         res = {"tls": True, "appname": "myapp"}
         self.assertEqual(res, parse_uri(uri)["options"])
 
-    def test_unquote_after_parsing(self):
-        quoted_val = "val%21%40%23%24%25%5E%26%2A%28%29_%2B%2C%3A+etc"
-        unquoted_val = "val!@#$%^&*()_+,: etc"
+    def test_unquote_during_parsing(self):
+        quoted_val = "val%21%40%23%24%25%5E%26%2A%28%29_%2B%3A+etc"
+        unquoted_val = "val!@#$%^&*()_+: etc"
         uri = (
             "mongodb://user:password@localhost/?authMechanism=MONGODB-AWS"
             "&authMechanismProperties=AWS_SESSION_TOKEN:" + quoted_val
@@ -511,7 +511,7 @@ def test_redact_AWS_SESSION_TOKEN(self):
         )
         with self.assertRaisesRegex(
             ValueError,
-            "auth mechanism properties must be key:value pairs like AWS_SESSION_TOKEN:<token>",
+            "Malformed auth mechanism properties",
         ):
             parse_uri(uri)
 

Original file line number	Diff line number	Diff line change
`@@ -559,7 +559,7 @@`
`559`	`559`	`},`
`560`	`560`	`{`
`561`	`561`	`"description": "should handle a complicated url-encoded TOKEN_RESOURCE (MONGODB-OIDC)",`
`562`		`- "uri": "mongodb://user@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:abc%2Cd%25ef%3Ag%26hi",`
	`562`	`+ "uri": "mongodb://user@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:abcd%25ef%3Ag%26hi",`
`563`	`563`	`"valid": true,`
`564`	`564`	`"credential": {`
`565`	`565`	`"username": "user",`
`@@ -568,7 +568,7 @@`
`568`	`568`	`"mechanism": "MONGODB-OIDC",`
`569`	`569`	`"mechanism_properties": {`
`570`	`570`	`"ENVIRONMENT": "azure",`
`571`		`- "TOKEN_RESOURCE": "abc,d%ef:g&hi"`
	`571`	`+ "TOKEN_RESOURCE": "abcd%ef:g&hi"`
`572`	`572`	`}`
`573`	`573`	`}`
`574`	`574`	`},`