MongoDB Connection String

Bridgecrew Policy ID: BC_GIT_77
Severity: LOW

MongoDB Connection String


MongoDB is a document-oriented database program. This policy detects MongoDB credentials in the form of URI connection strings.


var mongo_uri = "mongodb+srv://testuser:[email protected]/test?retryWrites=true&w=majority"

Fix - Buildtime


Revoking a MongoDB connection string means invalidating or disabling the credentials used to connect to a MongoDB instance. This can be done in several ways depending on the method used to authenticate and the specific setup of your MongoDB environment.

If you're using MongoDB's built-in authentication mechanism, you can revoke a connection string by revoking the user's privileges. This can be done using the following steps:

  1. Connect to the MongoDB instance using a user account with administrative privileges.
  2. Use the db.revokeRolesFromUser() command to remove the user's roles. For example, if the user's name is myUser and they have the readWrite role on the myDatabase database, you would run the following command:
db.revokeRolesFromUser("myUser", [{role: "readWrite", db: "myDatabase"}])
  1. Alternatively, you can also use the db.dropUser() command to completely delete the user account.

If you're using an external authentication mechanism, such as LDAP or Kerberos, you'll need to consult the documentation for that mechanism to find out how to revoke credentials.

It's worth noting that revoking a connection string is only effective for future connections. Any existing connections will remain valid until they are closed or expire. If you need to immediately terminate all active connections, you can restart the MongoDB instance or use the db.killOp() command to kill specific operations.