python.pymongo.security.mongodb.mongo-client-bad-auth
semgrep
Author
971
Download Count*
License
Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).
Run Locally
Run in CI
Defintion
rules:
- id: mongo-client-bad-auth
pattern: |
pymongo.MongoClient(..., authMechanism='MONGODB-CR')
message: Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and
is no longer supported by MongoDB 4.0 (see
https://api.mongodb.com/python/current/examples/authentication.html for
details).
fix-regex:
regex: MONGODB-CR
replacement: SCRAM-SHA-256
severity: WARNING
languages:
- python
metadata:
cwe:
- "CWE-477: Use of Obsolete Function"
category: security
technology:
- pymongo
references:
- https://cwe.mitre.org/data/definitions/477.html
subcategory:
- vuln
likelihood: LOW
impact: LOW
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Dangerous Method or Function
Examples
mongodb.py
from pymongo import MongoClient
# ok:mongo-client-bad-auth
client = MongoClient('example.com',
username='user',
password='password',
authSource='the_database',
authMechanism='SCRAM-SHA-256')
# ok:mongo-client-bad-auth
client = MongoClient('example.com',
username='user',
password='password',
authSource='the_database',
authMechanism='SCRAM-SHA-1')
# ruleid:mongo-client-bad-auth
client = MongoClient('example.com', username='user', password='password', authSource='the_database', authMechanism='MONGODB-CR')
Short Link: https://sg.run/YXRd