Go Hardcoded Mongodb Password
Description
This detector identifies hardcoded passwords in MongoDB connection configurations in Go applications. It specifically targets two MongoDB driver methods where credentials are commonly hardcoded: ApplyURI() calls with connection strings containing embedded credentials, and SetAuth() calls with literal password values, both of which pose security risks by exposing sensitive authentication data in source code.
Detection Strategy
• The Go MongoDB driver library (go.mongodb.org/mongo-driver) must be imported in the codebase
• For ApplyURI() method calls: The detector finds function calls ending with '.ApplyURI' and examines their first argument for sprintf-style connection strings that contain embedded credentials
• For SetAuth() method calls: The detector finds function calls ending with '.SetAuth' and checks if the password parameter contains a hardcoded string value rather than a variable or secure credential source
• A vulnerability is reported when either pattern is detected, indicating that MongoDB authentication credentials are hardcoded directly in the source code
Vulnerable code example
package main
import (
"context"
"go.mongodb.org/mongo-driver/mongo"
"go.mongodb.org/mongo-driver/mongo/options"
)
...✅ Secure code example
package main
import (
"context"
"os"
"go.mongodb.org/mongo-driver/mongo"
"go.mongodb.org/mongo-driver/mongo/options"
)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.