MONGOID-5937 redact credentials from client config error messages#6147
Merged
comandeo-mongo merged 2 commits intoJun 10, 2026
Merged
Conversation
NoClientDatabase, NoClientHosts and MixedClientConfiguration interpolated
the raw client configuration hash into their summary text via the
%{config} placeholder in lib/config/locales/en.yml. When a mongoid.yml
contained a uri with embedded userinfo, a :password option, or
auto_encryption_options.kms_providers, those secrets were exposed verbatim
in the exception message. MixedClientConfiguration is not rescued in the
Railtie, so it propagates to Rails' error reporter and from there to
Sentry, Bugsnag and similar trackers.
Add Mongoid::Errors::ConfigRedactor.redact, which returns a copy of the
config hash with :password and :auto_encryption_options replaced and the
userinfo stripped from any string :uri. Wire the helper into all three
error classes.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR prevents sensitive credentials from leaking into Mongoid client configuration validation error messages by redacting secrets before interpolating the config hash into i18n error templates.
Changes:
- Introduces
Mongoid::Errors::ConfigRedactor.redactto copy-and-redact client config hashes (passwords, auto-encryption options, and URI userinfo). - Updates
NoClientDatabase,NoClientHosts, andMixedClientConfigurationto pass redacted configs tocompose_message. - Adds unit and regression specs to ensure secrets (passwords, KMS provider material, and URI credentials) do not appear in exception messages.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| lib/mongoid/errors/config_redactor.rb | Adds redaction utility for sensitive config fields and URI userinfo. |
| lib/mongoid/errors/no_client_hosts.rb | Uses redacted config when composing error message. |
| lib/mongoid/errors/no_client_database.rb | Uses redacted config when composing error message. |
| lib/mongoid/errors/mixed_client_configuration.rb | Uses redacted config when composing error message. |
| lib/mongoid/errors.rb | Requires the new redactor module. |
| spec/mongoid/errors/config_redactor_spec.rb | Adds unit coverage for redaction behavior and non-mutation. |
| spec/mongoid/errors/no_client_hosts_spec.rb | Adds regression expectations for redaction in error messages. |
| spec/mongoid/errors/no_client_database_spec.rb | Adds regression expectations for redaction in error messages. |
| spec/mongoid/errors/mixed_client_configuration_spec.rb | Adds regression expectations for URI/userinfo and other secret redaction. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| REDACTED = '[REDACTED]' | ||
|
|
||
| # Top-level keys whose values should be replaced wholesale. |
| end | ||
| end | ||
|
|
||
| def redact_value(key, value) |
jamis
approved these changes
Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Connection-config validation errors leaked credentials into their messages.
NoClientDatabase,NoClientHosts, andMixedClientConfigurationpassedthe raw client configuration hash to
compose_message, which the localeYAML interpolates verbatim via
%{config}.When
mongoid.ymlcontains auri:with embedded userinfo, a top-levelpassword:, oroptions.auto_encryption_options.kms_providers(AWS access keys, GCP private keys, raw 96-byte local master keys), those
secrets ended up in the exception message.
MixedClientConfigurationisnot rescued in the Railtie, so it propagates to Rails' error reporter and
from there to Sentry, Bugsnag, Datadog, and similar trackers.
Fix
Add
Mongoid::Errors::ConfigRedactor.redact, which returns a copy of theconfig hash with:
:passwordand:auto_encryption_options(string or symbol keys, at any nesting depth) replaced with[REDACTED].:urivalue stripped (e.g.mongodb://admin:s3cr3t@hostbecomesmongodb://[REDACTED]@host). Also handlesmongodb+srv://.The three error classes call the redactor before passing the hash to
compose_message. The original config hash is not mutated.Notes
Mongo::URI#sanitized, but that method does not exist in the driver. The URI inmongoid.ymlis a raw string at this point, so redaction is implemented locally.NoClientDatabaseandNoClientHostsonly fire when no:uriis present (no_database_or_uri?/no_hosts_or_uri?), so a URI with embedded credentials cannot leak via those two paths. They still leak:passwordand:auto_encryption_options, both of which are now redacted.Test plan
ConfigRedactorcovering URI sanitization,:passwordand:auto_encryption_optionsredaction (string and symbol keys, nested), non-mutation of inputs3cr3t,kms_providers,AKIA…, and 96-byte master key material no longer appear in exception messagesValidators::Clientintegration tests inspec/mongoid/config_spec.rbstill passbundle exec rubocopclean on all changed files