MongoDB pattern does not capture connection string options

[rgmz]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The MongoDB regex only captures the Connection String protocol, username, password, host, and port. It does not capture the defaultauthdb or ?options, which could lead to valid secrets failing verification.

trufflehog/pkg/detectors/mongodb/mongodb.go

Line 24 in f6aaa49

keyPat = regexp.MustCompile(`\b(mongodb(\+srv)?://[\S]{3,50}:([\S]{3,50})@[-.%\w\/:]+)\b`)

For example, the CosmoDB connection string shown in #1511 only partially matches.

https://regex101.com/r/2tl5VU/1

Problem to be Addressed

Improve false-negative detections of MongoDB connection strings.

Description of the Preferred Solution

The preferred solution would be to improve the regex to capture valid Connection Strings,

https://www.mongodb.com/docs/manual/reference/connection-string/

Additional Context

I've created an example regex that matches options. Disclaimer: It's a POC and not well-tested.

https://regex101.com/r/2tl5VU/7

References

N/A