[security] MongoDB's credentials are exposed in the logs if using url-style host to connect to a replica set

[emptywee]

Please, add a condition to verify if db_host has :// in it, then show the line without the password, if any.

https://github.com/StackStorm/st2/blob/master/st2common/st2common/models/db/__init__.py#L79

Thanks!

[Kami]

Thanks for reporting this - we will have a look. In the mean time, you can use "supply password as a separate argument" (default value) as a work-around (if that works for your use-case).

Edit: Just saw you are using replica set, so supplying password as argument won't work.

[emptywee]

@Kami I am not the best python developer and haven't really debugged the code, but I am not sure if it's going to honor a separately provided password variable:

https://github.com/MongoEngine/mongoengine/blob/master/mongoengine/connection.py#L88

Can you confirm?

[emptywee]

Oh I think it will. It iterates to find them in the provided url string, and overwrites if it finds one.

[emptywee]

Yes, removing username and password from the URL helps. Anyway, might be a good idea to hide it if user decided to use a one-line url as a db_host. Or at least document it somewhere.

[Kami]

Anyway, might be a good idea to hide it if user decided to use a one-line url as a db_host. Or at least document it somewhere.

Yeah, agreed, will push that change, but separate parameter is still preferred because same thing with logging could also happens in other places which we can't directly control.