Skip to content

fix(logging): handle credential redaction in some cases with special characters MONGOSH-2991 #2581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 20, 2025
Merged

fix(logging): handle credential redaction in some cases with special characters MONGOSH-2991 #2581

merged 6 commits into from
Nov 20, 2025

Conversation

@gagik
Copy link
Contributor

@gagik gagik commented Nov 18, 2025
edited
Loading

From updates in mongodb-js/devtools-shared#597 and mongodb-js/devtools-shared#599, this both...

  1. improves redaction of connection URIs for any arbitrary connection string (including with special characters)
  2. prevents logging of sensitive commands, matching what we do for history.

@gagik gagik changed the title WIP - chore: use redact package chore: use mongodb-redact package to improve credential redaction Nov 19, 2025
@gagik gagik changed the title chore: use mongodb-redact package to improve credential redaction chore: use mongodb-redact package to improve credential redaction MONGOSH-2991 Nov 19, 2025
gagik
gagik commented Nov 19, 2025
View reviewed changes
packages/history/src/history.ts
const hiddenCommands = new RegExp(HIDDEN_COMMANDS, 'g');

if (hiddenCommands.test(history[0])) {
if (shouldRedactCommand(history[0])) {
Copy link
Contributor Author

@gagik gagik Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just so I understand right, we always redact data from history if it's a redactable command, 'redact-sensitive-data' | 'keep-sensitive-data' only handles the other cases?

Copy link
Collaborator

@addaleax addaleax Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mongosh/packages/cli-repl/src/mongosh-repl.ts

Lines 565 to 573 in f3ff98c

if (this.redactHistory !== 'keep') {
const history: string[] = (repl as any).history;
changeHistory(
history,
this.redactHistory === 'remove-redact'
? 'redact-sensitive-data'
: 'keep-sensitive-data'
);
}

Copy link
Contributor Author

@gagik gagik Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah cool, it'd be nice to move the whole logic into the function and make that enum include "keep"

@gagik gagik changed the title chore: use mongodb-redact package to improve credential redaction MONGOSH-2991 fix(mongodb-redact): handle credential redaction in some cases with special characters MONGOSH-2991 Nov 19, 2025
@gagik gagik changed the title fix(mongodb-redact): handle credential redaction in some cases with special characters MONGOSH-2991 fix(logging): handle credential redaction in some cases with special characters MONGOSH-2991 Nov 19, 2025
@gagik gagik marked this pull request as ready for review November 19, 2025 10:15
@gagik gagik requested a review from a team as a code owner November 19, 2025 10:15
Copilot AI review requested due to automatic review settings November 19, 2025 10:15
Copilot AI reviewed Nov 19, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates credential redaction functionality by migrating from internal @mongosh/history utilities to the standardized mongodb-redact package (v1.3.0). This improves handling of connection strings with special characters and prevents logging of sensitive commands like authentication operations.

Key changes:

  • Replaced redactURICredentials with redactConnectionString and HIDDEN_COMMANDS regex with shouldRedactCommand
  • Updated mongodb-redact dependency to v1.3.0 across multiple packages
  • Added early-return checks in logging to skip sensitive commands entirely rather than just redacting them

Reviewed Changes

Copilot reviewed 19 out of 20 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
packages/shell-evaluator/src/shell-evaluator.ts Switched from HIDDEN_COMMANDS regex to shouldRedactCommand function and redactSensitiveData to redact
packages/shell-api/src/shell-instance-state.ts Updated to use redactConnectionString with empty string fallback
packages/shell-api/src/shard.ts Replaced redactURICredentials with redactConnectionString
packages/shell-api/src/replica-set.ts Replaced redactURICredentials with redactConnectionString
packages/shell-api/src/mongo.ts Updated URI redaction calls to use redactConnectionString
packages/shell-api/src/field-level-encryption.ts Replaced redactURICredentials with redactConnectionString
packages/shell-api/src/database.ts Migrated from HIDDEN_COMMANDS regex to shouldRedactCommand function
packages/shell-api/src/collection.ts Replaced HIDDEN_COMMANDS regex with shouldRedactCommand
packages/shell-api/package.json Updated mongodb-redact to v1.3.0
packages/logging/src/logging-and-telemetry.ts Added early-return guards for sensitive commands and updated redaction function calls
packages/logging/src/logging-and-telemetry.spec.ts Added comprehensive test coverage for sensitive command filtering
packages/logging/package.json Updated mongodb-redact to v1.3.0 and removed @mongosh/history dependency
packages/history/src/index.ts Removed re-exports of redaction utilities now handled by mongodb-redact
packages/history/src/history.ts Migrated to use shouldRedactCommand and redact from mongodb-redact
packages/history/package.json Updated mongodb-redact to v1.3.0 and removed mongodb-connection-string-url
packages/cli-repl/src/smoke-tests.ts Replaced redactURICredentials with redactConnectionString
packages/cli-repl/src/run.ts Updated to use redactConnectionString
packages/cli-repl/src/cli-repl.ts Replaced both redactURICredentials and redactSensitiveData with new functions
packages/cli-repl/package.json Updated mongodb-redact to v1.3.0 and removed unused dependency

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

addaleax
addaleax reviewed Nov 19, 2025
View reviewed changes
packages/logging/src/logging-and-telemetry.ts Outdated
});

onBus('mongosh:evaluate-input', (args: EvaluateInputEvent) => {
// Skip logging sensitive commands
Copy link
Collaborator

@addaleax addaleax Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's still log something so that the log file isn't silently incomplete

packages/logging/src/logging-and-telemetry.ts Outdated
});

onBus('mongosh:api-call-with-arguments', (args: ApiEventWithArguments) => {
if (shouldRedactCommand(args.method)) {
Copy link
Collaborator

@addaleax addaleax Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We explicitly decide which args to pass to this event; e.g. for createUser, we do not pass any:

mongosh/packages/shell-api/src/database.ts

Line 569 in e9f6465

this._emitDatabaseApiCall('createUser', {});

If we think that this isn't sufficient protection, then we should similarly here just hide args instead of not logging at all

@gagik
Copy link
Contributor Author

gagik commented Nov 20, 2025

Fully green CI 🥹

@gagik gagik merged commit 332fa41 into main Nov 20, 2025
155 checks passed
@gagik gagik deleted the gagik/redact branch November 20, 2025 10:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@addaleax addaleax addaleax approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gagik @addaleax