python.security.mongodb.mongo-client-bad-auth

profile photo of returntocorpreturntocorp
Author
1,993
Download Count*
LGPL Commons Clause
License

Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: mongo-client-bad-auth
    pattern: |
      pymongo.MongoClient(..., authMechanism='MONGODB-CR')
    message: >
      Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is
      no longer supported by MongoDB 4.0 (see
      https://api.mongodb.com/python/current/examples/authentication.html for
      details).
    fix-regex:
      regex: MONGODB-CR
      replacement: SCRAM-SHA-256
    severity: WARNING
    languages:
      - python
    metadata:
      category: security
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

mongodb.py

from pymongo import MongoClient

# ok:mongo-client-bad-auth
client = MongoClient('example.com',
                     username='user',
                     password='password',
                     authSource='the_database',
                     authMechanism='SCRAM-SHA-256')
# ok:mongo-client-bad-auth
client = MongoClient('example.com',
                     username='user',
                     password='password',
                     authSource='the_database',
                     authMechanism='SCRAM-SHA-1')

# ruleid:mongo-client-bad-auth
client = MongoClient('example.com', username='user', password='password', authSource='the_database', authMechanism='MONGODB-CR')