MongoDBRules
no-hardcoded-connection-string
Detects hardcoded MongoDB connection strings containing credentials in source code.
Keywords: CWE-798, hardcoded credentials, MongoDB, connection string, secrets, security
Detects hardcoded MongoDB connection strings containing credentials in source code.
⚠️ This rule errors by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-798 (Hardcoded Credentials) |
| OWASP | A07:2021 - Identification/Auth Failures |
| Severity | High (CVSS: 7.5) |
| Category | Security |
| ESLint MCP | ✅ Optimized for AI assistant integration |
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-798 OWASP:A04 CVSS:9.8 | Hardcoded Credentials detected | CRITICAL [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001,NIST-CSF]
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A04_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-798 OWASP:A04 CVSS:9.8 |
| Issue Description | Specific vulnerability | Hardcoded Credentials detected |
| Severity & Compliance | Impact assessment | CRITICAL [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001,NIST-CSF] |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
MongoDB connection strings often contain credentials in the format:
mongodb://username:password@host:port/databaseHardcoding these in source code risks credential exposure through:
- Source control (GitHub, GitLab, Bitbucket)
- Client-side bundles
- Log files and error messages
- Code sharing/review
❌ Incorrect
// Hardcoded connection string with credentials
const uri = 'mongodb://admin:secret123@localhost:27017/mydb';
mongoose.connect(uri);
// Even without explicit credentials - may default to weak auth
const uri = 'mongodb://localhost:27017/mydb';
// MongoDB+SRV format with credentials
const uri = 'mongodb+srv://admin:p@ssword@cluster.mongodb.net/db';✅ Correct
// Use environment variables
const uri = process.env.MONGODB_URI;
mongoose.connect(uri);
// Use config module
import { config } from './config';
mongoose.connect(config.database.uri);
// Use secret manager
const uri = await secretManager.getSecret('mongodb-uri');
mongoose.connect(uri);Known False Positives
Test Connection Strings
// FP: Intentional in test files
const testUri = 'mongodb://test:test@localhost:27017/testdb';Workaround: Use allowInTests: true option.
Documentation/Comments
// FP: Example in comment
// Connect using: mongodb://user:pass@host/dbWorkaround: Rule should not flag strings in comments (not implemented).
Known False Negatives
Template Literal with Partial Credentials
// ❌ NOT DETECTED - credentials assembled at runtime
const uri = `mongodb://${process.env.USER}:hardcoded123@localhost/db`;Configuration Object
// ❌ NOT DETECTED - credentials in separate options
mongoose.connect('mongodb://localhost/db', {
user: 'admin',
pass: 'hardcoded', // This should be flagged by no-hardcoded-credentials
});When Not To Use It
- In local development with truly local-only databases
- In test files connecting to test containers
Related Rules
- no-hardcoded-credentials - Detects hardcoded usernames/passwords