python.pymongo.security.mongodb.mongo-client-bad-auth

profile photo of semgrepsemgrep
Author
971
Download Count*
LGPL Commons Clause
License

Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: mongo-client-bad-auth
    pattern: |
      pymongo.MongoClient(..., authMechanism='MONGODB-CR')
    message: Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and
      is no longer supported by MongoDB 4.0 (see
      https://api.mongodb.com/python/current/examples/authentication.html for
      details).
    fix-regex:
      regex: MONGODB-CR
      replacement: SCRAM-SHA-256
    severity: WARNING
    languages:
      - python
    metadata:
      cwe:
        - "CWE-477: Use of Obsolete Function"
      category: security
      technology:
        - pymongo
      references:
        - https://cwe.mitre.org/data/definitions/477.html
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Dangerous Method or Function

Examples

mongodb.py

from pymongo import MongoClient

# ok:mongo-client-bad-auth
client = MongoClient('example.com',
                     username='user',
                     password='password',
                     authSource='the_database',
                     authMechanism='SCRAM-SHA-256')
# ok:mongo-client-bad-auth
client = MongoClient('example.com',
                     username='user',
                     password='password',
                     authSource='the_database',
                     authMechanism='SCRAM-SHA-1')

# ruleid:mongo-client-bad-auth
client = MongoClient('example.com', username='user', password='password', authSource='the_database', authMechanism='MONGODB-CR')