Skip to content

PYTHON-5928 Redact AWS session token from client repr#2803

Open
NguyenCong2k wants to merge 1 commit into
mongodb:mainfrom
NguyenCong2k:fix-redact-aws-session-token-repr
Open

PYTHON-5928 Redact AWS session token from client repr#2803
NguyenCong2k wants to merge 1 commit into
mongodb:mainfrom
NguyenCong2k:fix-redact-aws-session-token-repr

Conversation

@NguyenCong2k

@NguyenCong2k NguyenCong2k commented May 14, 2026

Copy link
Copy Markdown
Contributor

PYTHON-5928

AWS session tokens passed via authMechanismProperties (for example, AWS_SESSION_TOKEN) were rendered in plain text inside MongoClient.__repr__, leaking short-lived AWS credentials into logs and error messages. The existing username/password redaction did not cover authentication mechanism properties.

Changes in this PR

  • Add the shared helper pymongo.common.redact_auth_mechanism_properties_for_repr, which redacts every authentication mechanism property whose upper-cased name is not in the safe allowlist (ALLOWED_HOSTS, CANONICALIZE_HOST_NAME, ENVIRONMENT, SERVICE_HOST, SERVICE_NAME, SERVICE_REALM, TOKEN_RESOURCE).
  • Apply the helper to the repr path in both pymongo/asynchronous/mongo_client.py and pymongo/synchronous/mongo_client.py.
  • Add sync and async regression coverage for:
    • AWS_SESSION_TOKEN supplied through the connection URI.
    • Lower-case aws_session_token and a custom CUSTOM_API_KEY supplied through authMechanismProperties kwargs.
    • Safe TOKEN_RESOURCE values remaining visible.

The allowlist approach, rather than a single-key denylist, also prevents other custom token-, password-, secret-, or key-bearing properties from leaking through the client repr.

Test Plan

python -m pytest test/test_client.py::ClientUnitTest::test_repr_redacts_aws_session_token test/test_client.py::ClientUnitTest::test_repr_redacts_secret_auth_mechanism_properties test/asynchronous/test_client.py::AsyncClientUnitTest::test_repr_redacts_aws_session_token test/asynchronous/test_client.py::AsyncClientUnitTest::test_repr_redacts_secret_auth_mechanism_properties -q

Local result: 4 passed.

Manual verification:

from pymongo import MongoClient

client = MongoClient(
    "mongodb://AKIA:SECRET@localhost:27017/"
    "?authMechanism=MONGODB-AWS"
    "&authMechanismProperties=AWS_SESSION_TOKEN:SECRET-TOKEN",
    connect=False,
)
print(repr(client))  # 'AWS_SESSION_TOKEN': '<redacted>'

Checklist

Checklist for Author

  • Did you update the changelog (if necessary)?
  • Is there test coverage?
  • Is any followup work tracked in a JIRA ticket? PYTHON-5928

Checklist for Reviewer

  • Does the title of the PR reference a JIRA Ticket?
  • Do you fully understand the implementation?
  • Is all relevant documentation (README or docstring) updated?

Copilot AI review requested due to automatic review settings May 14, 2026 04:36
@NguyenCong2k NguyenCong2k requested a review from a team as a code owner May 14, 2026 04:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR addresses two security/privacy concerns: redacting the AWS session token in MongoClient __repr__ output, and ensuring the OIDC ALLOWED_HOSTS check is performed before reusing a cached authenticator.

Changes:

  • Redact AWS_SESSION_TOKEN in authMechanismProperties when generating client __repr__.
  • Move the OIDC ALLOWED_HOSTS validation in _get_authenticator to run before returning a cached authenticator.
  • Add corresponding tests in both sync and async test suites.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
pymongo/synchronous/mongo_client.py Adds redaction helper for AWS session token in _repr_helper.
pymongo/asynchronous/mongo_client.py Mirrors the sync redaction logic for async client.
pymongo/synchronous/auth_oidc.py Reorders allowed-hosts check to occur before cache reuse.
pymongo/asynchronous/auth_oidc.py Mirrors the sync OIDC change for the async path.
test/test_client.py Adds test for AWS session token redaction in repr.
test/asynchronous/test_client.py Async counterpart for repr redaction test.
test/test_auth_oidc.py Tests allowed-hosts check happens before cache reuse.
test/asynchronous/test_auth_oidc.py Async counterpart for allowed-hosts cache test.

Comment thread pymongo/synchronous/mongo_client.py Outdated
Comment on lines +1306 to +1307
for key in redacted:
if key.upper() == "AWS_SESSION_TOKEN":
Comment thread pymongo/synchronous/mongo_client.py Outdated
Comment on lines +1303 to +1310
def redact_auth_mechanism_properties(value: Any) -> Any:
if isinstance(value, dict):
redacted = value.copy()
for key in redacted:
if key.upper() == "AWS_SESSION_TOKEN":
redacted[key] = "<redacted>"
return redacted
return value
Comment on lines +70 to +71
if credentials.cache.data:
return credentials.cache.data
Comment thread test/test_auth_oidc.py
Comment on lines +133 to +134
authenticator = _get_authenticator(credentials, ("good.example.com", 27017))
self.assertIs(authenticator, credentials.cache.data)
Comment thread test/test_client.py
Comment on lines +198 to +199
"mongodb://AKIA:SECRET@localhost:27017/"
f"?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:{token}",
@NguyenCong2k NguyenCong2k force-pushed the fix-redact-aws-session-token-repr branch 2 times, most recently from fd2ade2 to 24f74fd Compare May 14, 2026 17:06
@Jibola Jibola changed the title Redact AWS session token from client repr PYTHON-XXXX Redact AWS session token from client repr Jul 9, 2026
@codeowners-service-app

Copy link
Copy Markdown

Assigned aclark4life for team dbx-python because caseyclements is out of office.

@Jibola Jibola marked this pull request as draft July 9, 2026 14:05
@Jibola Jibola marked this pull request as ready for review July 9, 2026 14:05
@Jibola Jibola changed the title PYTHON-XXXX Redact AWS session token from client repr PYTHON-5928 Redact AWS session token from client repr Jul 9, 2026
@Jibola

Jibola commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Hi, thanks for your contribution. Please update your pull request to be in line with out pull request template guidelines.

@NguyenCong2k

Copy link
Copy Markdown
Contributor Author

Hi @Jibola, I've updated the PR description per the template. Ready for another look when you have a chance.

@aclark4life

Copy link
Copy Markdown
Contributor

@NguyenCong2k Thanks! I don't see this in the PR?

  • Move the OIDC ALLOWED_HOSTS check in _get_authenticator ahead of the cached-authenticator early return, so a disallowed host is rejected even when a cached authenticator exists.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Comment thread pymongo/common.py
Comment on lines +442 to +451
def redact_auth_mechanism_properties_for_repr(value: Any) -> Any:
"""Redact sensitive auth mechanism properties before including them in repr."""
if not isinstance(value, dict):
return value

redacted = value.copy()
for key in redacted:
if str(key).upper() not in _SAFE_AUTH_MECHANISM_PROPS_FOR_REPR:
redacted[key] = "<redacted>"
return redacted
@NguyenCong2k NguyenCong2k force-pushed the fix-redact-aws-session-token-repr branch from 58c7007 to ef49b60 Compare July 15, 2026 02:14
@NguyenCong2k

Copy link
Copy Markdown
Contributor Author

@aclark4life Thanks for catching this. That OIDC item was accidentally left in this PR description; the fix was implemented and merged separately in #2801 under PYTHON-5921. I've rebased this branch onto main, removed the duplicate OIDC commit, and updated #2803 to stay scoped to PYTHON-5928 (MongoClient.__repr__ redaction only).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants