Mongo URI password visible in process list on Linux

[vineelyalamarthy]

Describe the bug
Exporter tries to connect with MongoDB using the URI to get the metrics.

Here is the URI format.

mongodb://[username:password@]host1[:port1][,...hostN[:portN]][/[defaultauthdb][?options]]

When we do ps -ef we are able to see the password even though we try to render the password via an env and this can be a security breach when we use this in production environment.

To Reproduce
Steps to reproduce the behavior:

1. Install MongoDB 4.2 in either replica set mode or stand alone mode. (Though we believe Mongo version has nothing to do here)
2. Run the binary (mongodb_exporter-0.7.1.linux-amd64.tar.gz) by providing the Mongo connection URI as shown above.

Expected behavior
When we go the terminal and do ps -ef, password should be redacted.

Logs
Please provide logs relevant to the issue

Environment

• Linux
• docker, k8s (1.22)
• Mongo DB version 4.2.

[denisok]

similar request is in #380 . As a secure alternative so far you can use tls connection with --web.config which is Prometheus TLS config file.

Run the binary (mongodb_exporter-0.7.1.linux-amd64.tar.gz) 0.7.1 version is probably some very old or from different repo, current release is 0.34.x

[denisok]

hm. I mixed up the things, --web.config is the parameter for exporter itself. It will not help with connection to mongo. So yeah, concern is quite critical we need to address it.

[denisok]

workaround would be to use MONGODB_URI env var

mongodb_exporter/main.go

Line 40 in ac32423

URI string `name:"mongodb.uri" help:"MongoDB connection URI" env:"MONGODB_URI" placeholder:"mongodb://user:[email protected]:27017/admin?ssl=true"`

also see #560

[denisok]

to make it clear --web-config is for exporter itself, but you still use tls in a connection URI: tls=truetlsCertificateKeyFile=Server.pem&tlsCAFile=ca.pem in connection string instead of password.

[adinandan]

the issue still seems to be there when we try to make mongo-uri as ENV

to make it clear --web-config is for exporter itself, but you still use tls in a connection URI: tls=truetlsCertificateKeyFile=Server.pem&tlsCAFile=ca.pem in connection string instead of password.

The issue still seems to be there when we try to make mongo_uri as ENV when we pass the user and password

[crankedguy]

I post that here because the other mentioned issues are container related (#380) or not related at all (#560) regarding the security implication. Will there be any progress on this? As correctly mentioned this is a high security risk and should not be necessary anywhere near production use.
Using an ENV does bring nothing good if this env has still to be passed on the command line, especially if you use the process via systemd or command line. Literally everyone on the system can read this.
If the env is only read from the application itself then this could make sense.
The other easy solution would be to just read a configuration file from the executable that contains user:pass or only pass if wanted. This configuration file can be restricted via system permissions easily, as it is done in many other exporters.