org.sonar.plugins.secrets.configuration.mongodb.yaml Maven / Gradle / Ivy
provider:
metadata:
name: MongoDB
category: Database API Standard
message: Make sure this MongoDB database password gets changed and removed from the code.
detection:
pre:
scopes:
- main
include:
content:
- mongo
- mongodb
reject:
ext:
- .adoc
- .example
- .html
- .md
- .mdx
- .template
paths:
- "**/appsettings.Development.json"
- "**/appsettings.Local.json"
post:
# Avoid matching values found on SourceGraph that look like dummy passwords or insertions.
patternNot:
- "^([\\w\\.\\*])\\1{2,}$"
- "(?i)^(db|my)?_?pass(word|wd)?$"
- "^\\${1,2}\\w+$"
- "^\\${1,2}[{(]"
- "^\\{{2,}"
- "^<[a-z \\-]+>$"
- "^--[a-z\\-]+$"
rules:
- id: mongo-url
rspecKey: S6694
metadata:
name: MongoDB database passwords should not be disclosed
detection:
matching:
# Look for URIs in the format "protocol://username:password@server:port/..."
# The protocol is "mongo" or "mongodb" but can also be followed by a subprotocol, e.g. "mongodb+srv".
# Certain special characters need to be percent-encoded so we can break matching when we find them.
pattern: "\\bmongo(?:db)?(?:\\+\\w+)?://[^:@/ ]+:([^@/ ]+)@"
post:
patternNot:
# xxx, ***, ...
- "(?i)^([\\w\\.\\*])\\1{2,}$"
# $db_password, $$db_password
- "^(\\${1,2}[a-z_]*)?(db|my)?_?pass(word|wd)?"
# [My Password]
- "^\\[[\\w\\t \\-]+\\]$"
# or <:My Password:>
- "<[\\w\\t \\-\\:]+>"
- "^%[sv]$"
# $password, $$password
- "^\\${1,2}\\w+$"
# ${password}, $${password}
- "^\\${0,2}\\{+[^}]*\\}+$"
# $(password)
- "^\\$\\(\\w+\\)$"
# #{password} and #{password}#
- "^#\\{([^@/ ]+)\\}#?$"
examples:
- text: |
backend "pg" {
conn_str1 = "mongo://user:[email protected]/terraform_backend"
conn_str2 = "mongodb://<:username:>:<:sonarpassword:>@<:sonarhost:>"
}
containsSecret: false
- text: |
connStr = fmt.Sprintf("mongodb://%s:%s@:%s/%s%ssslmode=%s&host=%s",
url.PathEscape(dbUser), url.PathEscape(dbPasswd), port, dbName, dbParam, dbsslMode, host)
containsSecret: false
- text: |
if (!newConfig.DATABASE_URL) {
const encodedUser = encodeURIComponent(newConfig.POSTHOG_DB_USER)
const encodedPassword = encodeURIComponent(newConfig.POSTHOG_DB_PASSWORD)
newConfig.DATABASE_URL = `mongodb://${encodedUser}:${encodedPassword}@${newConfig.POSTHOG_MONGO_HOST}:${newConfig.POSTHOG_MONGO_PORT}/${newConfig.POSTHOG_DB_NAME}`
}
containsSecret: false
- text: |
SqlSettingsDefaultDataSource = "mongodb+srv://mmuser:#{db-password}@localhost/mattermost_test?sslmode=disable&connect_timeout=10&binary_parameters=yes"
containsSecret: false
- text: |
SqlSettingsDefaultDataSource = "mongodb+srv://mmuser:mostest@localhost/mattermost_test?sslmode=disable&connect_timeout=10&binary_parameters=yes"
containsSecret: true
match: mostest
- text: |
SqlSettingsDefaultDataSource = "mongodb+srv://mmuser:mostest@localhost/mattermost_test?sslmode=disable&connect_timeout=10&binary_parameters=yes"
fileName: Doc.md
containsSecret: false
- text: |
passwordFile := fs.String("password", "../../../tools/secrets/password.txt", "password file")
databasePrefix := fs.String("database-prefix", "mongodb://mongo:mongo_password_padded_for_security@localhost:27017/ocr2vrf-test", "database prefix")
databaseSuffixes := fs.String("database-suffixes", "sslmode=disable", "database parameters to be added")
containsSecret: true
match: mongo_password_padded_for_security
- text: |
driver: mongodb
dsn: mongodb://foouser:foopass@localhost:27017/testdb?sslmode=disable
table: footable
containsSecret: true
match: foopass
- text: |
AIRFLOW_CONN_METADATA_DB=mongodb+srv://airflow:airflow@mongo:27017/airflow
AIRFLOW_VAR__METADATA_DB_SCHEMA=airflow
containsSecret: true
match: airflow
- text: |
CONNECTION_STRING=mongodb://user:#{azure-replacement-token}#@mongo.local:27017/database"
containsSecret: false
- text: |
CONNECTION_STRING=mongodb://user:[email protected]:27017/database"
containsSecret: false
- id: mongodb-cli-unquoted
rspecKey: S6694
metadata:
name: MongoDB database passwords should not be disclosed
detection:
matching:
pattern: "\\bmongo(?:dump|import|restore|sh)?(?=[ \\t]).{0,100}[ \\t](?:-p|--password)[ \\t]+([^\"'\\s]{3,})"
examples:
- text: |
mongo --host localhost --username root --password password
containsSecret: false
- text: |
mongodump --host localhost --user $USER --password $PASSWORD
containsSecret: false
- text: |
mongosh "mongodb://localhost:27017" --username --password
containsSecret: false
- text: |
mongo --host localhost --username root --password P@ssw0rd
containsSecret: true
match: P@ssw0rd
- text: |
mongo --host localhost --username root --password P@ssw0rd
fileName: Doc.html
containsSecret: false
- text: |
mongo --host localhost --username root --password ***
containsSecret: false
- id: mongodb-cli-quoted-outer
rspecKey: S6694
metadata:
name: MongoDB database passwords should not be disclosed
detection:
matching:
# Matches multiple kinds of mongo CLI tools
# Allows for 100 characters before password (username, host, etc.)
# Then matches quoted passwords, located after -p or --password.
pattern: "\\bmongo(?:dump|import|restore|sh)?\
(?=[ \\t]).{0,100}[ \\t]\
(?:-p|--password)[ \\t]+\
\\\\?[\"']\
([^\\r\\n\"']{3,})\
\\\\?[\"']"
examples:
- text: |
mongo --host "localhost" --username "root" --password "password"
containsSecret: false
- text: |
mongodump --host "localhost" --user "$USER" --password "$PASSWORD"
containsSecret: false
- text: |
mongosh "mongodb://localhost:27017" --username "" --password ""
containsSecret: false
- text: |
mongo --host "localhost" --username "root" --password "P@ssw0rd"
containsSecret: true
match: P@ssw0rd
- text: |
mongo --host "localhost" --username "root" --password "P@ssw0rd"
fileName: Doc.adoc
containsSecret: false
- text: |
mongo --host "localhost" --username "root" --password "..."
containsSecret: false
© 2015 - 2025 Weber Informatics LLC | Privacy Policy