From 82b5e7c6778445ff2edbe4389b040752eb693186 Mon Sep 17 00:00:00 2001 From: dfgvaetyj3456356-hash <185460949+dfgvaetyj3456356-hash@users.noreply.github.com> Date: Sun, 31 May 2026 04:13:54 -0500 Subject: [PATCH] fix: redact TLS keyfile password in client repr Signed-off-by: dfgvaetyj3456356-hash <185460949+dfgvaetyj3456356-hash@users.noreply.github.com> --- pymongo/asynchronous/mongo_client.py | 2 ++ pymongo/synchronous/mongo_client.py | 2 ++ test/asynchronous/test_client.py | 10 ++++++++++ test/test_client.py | 10 ++++++++++ 4 files changed, 24 insertions(+) diff --git a/pymongo/asynchronous/mongo_client.py b/pymongo/asynchronous/mongo_client.py index 412a13ec70..feae92eb9d 100644 --- a/pymongo/asynchronous/mongo_client.py +++ b/pymongo/asynchronous/mongo_client.py @@ -1307,6 +1307,8 @@ def option_repr(option: str, value: Any) -> str: return "document_class=dict" else: return f"document_class={value.__module__}.{value.__name__}" + if option in {"tlscertificatekeyfilepassword"}: + return f"{option}=''" if option in common.TIMEOUT_OPTIONS and value is not None: return f"{option}={int(value * 1000)}" diff --git a/pymongo/synchronous/mongo_client.py b/pymongo/synchronous/mongo_client.py index 2bd6f31b72..7d5efe7c21 100644 --- a/pymongo/synchronous/mongo_client.py +++ b/pymongo/synchronous/mongo_client.py @@ -1307,6 +1307,8 @@ def option_repr(option: str, value: Any) -> str: return "document_class=dict" else: return f"document_class={value.__module__}.{value.__name__}" + if option in {"tlscertificatekeyfilepassword"}: + return f"{option}=''" if option in common.TIMEOUT_OPTIONS and value is not None: return f"{option}={int(value * 1000)}" diff --git a/test/asynchronous/test_client.py b/test/asynchronous/test_client.py index dea1161afa..ab20dac097 100644 --- a/test/asynchronous/test_client.py +++ b/test/asynchronous/test_client.py @@ -168,6 +168,16 @@ async def test_keyword_arg_defaults(self): self.assertEqual(ReadPreference.PRIMARY, client.read_preference) self.assertAlmostEqual(12, client.options.server_selection_timeout) + def test_repr_redacts_tls_certificate_keyfile_password(self): + client = AsyncMongoClient( + "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFilePassword=passphrase", + connect=False, + ) + the_repr = repr(client) + + self.assertIn("tlscertificatekeyfilepassword=''", the_repr) + self.assertNotIn("passphrase", the_repr) + async def test_connect_timeout(self): client = self.simple_client(connect=False, connectTimeoutMS=None, socketTimeoutMS=None) pool_opts = client.options.pool_options diff --git a/test/test_client.py b/test/test_client.py index d2d93c6ba2..4d548d1d65 100644 --- a/test/test_client.py +++ b/test/test_client.py @@ -165,6 +165,16 @@ def test_keyword_arg_defaults(self): self.assertEqual(ReadPreference.PRIMARY, client.read_preference) self.assertAlmostEqual(12, client.options.server_selection_timeout) + def test_repr_redacts_tls_certificate_keyfile_password(self): + client = MongoClient( + "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFilePassword=passphrase", + connect=False, + ) + the_repr = repr(client) + + self.assertIn("tlscertificatekeyfilepassword=''", the_repr) + self.assertNotIn("passphrase", the_repr) + def test_connect_timeout(self): client = self.simple_client(connect=False, connectTimeoutMS=None, socketTimeoutMS=None) pool_opts = client.options.pool_options