The MongoDB connection string is written to the container logs

Question

The MongoDB connection string is written to the container logs

oskapt opened this issue a year ago · 2 comments

When the container starts, it prints the MongoDB connection string in the container log, which is unnecessary and insecure. Although this application is likely to be self-hosted, anyone with access to the container logs could then query the db directly for information about trades. Probably not that big of a deal if someone's running it locally or in their house, but it's still an unnecessary risk.

I'm running this in Kubernetes with the URI as a secured K8s secret. Having the string printed to the log undermines all of the security.

At the very least, please *** out the password portion of the URI, like in the example below:

➤ k logs tradenote-65f5dfdcc5-2wfxv

> tradenote@11.20.9 start
> node index.js

databaseURI mongodb://tradenote:********@mongo.home.monach.us:27017/tradenote

Answer 1 · 2023-09-01T06:39:15.000Z

This is a good point. Will look into it

Answer 2 · 2023-10-01T07:08:13.000Z

Ok, done in v12.0.7