3

From the docs, a basic mongoose connection string is mongoose.connect('mongodb://username:password@host:port/database?options...');.

The problem is that the username:password are stored in plain text in the source code. The attack vector we are worried about is if someone was to get access to our source code they also have access to the database.

What are some strategies to avoid this vulnerability?

  1. I could encrypt the password and then decrypt the password prior to connecting, but then again if someone gets access to our source code they would also have access to our decryptor, since the decryptor is required prior to connection.

If someone was to gain root access to a server I believe we are up a creek no matter what, but is there a way to make it so that someone can't just get access to our source code and then compromise our DBs?

Improve this question

2 Answers 2

Reset to default
4

You are right in thinking that if someone gets access to the server itself it doesn't matter, so the data can be exposed in plain text on the server, but encrypting it wouldn't hurt (for example if you're looking at the file that has it).

There are two strategies for dealing with this:

  1. Pass the password or other sensitive data in as part of the environment a-la Heroku
  2. Include a configuration file that is not version controlled that contains sensitive data (encrypted or otherwise).

For example if you were hosting on Heroku your config might look like:

{
    "development": {
        "db": "mongodb://localhost/app_devel"
    },
    "production": {
        "db": process.env.MONGOLAB_URI
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Great answer, and if not hosting on Heroku, accessing that environment variable in the code is a matter of mongoose.connect(process.env.MONGO_URI);.
2

The end solution we ended up going with was to store the passwords encrypted in a configuration file committed to our VCS.

In order to decrypt the password we created a simple little binary with golang (< 100 LoC) which authenticates some physical properties of the machine (the mac address + others) and will run the decryption. This is executed via child_process.exec. The source code for the encryption/decryption binary is stored in a privileged part of our system which only a few employees have access to.

The end result of this is that if someone was to get our application source code, including the compiled encryption/decryption binary, it would do them no good because the password is encrypted AND the binary won't work unless it's running on a machine we've authenticated.

The flaws in the system are that if someone gets root access to an authenticated machine, they'll be able to escalate to the DB. Also, if someone gets the source code for the encryption binary, they could learn the decryption scheme. For our purposes we have deemed these possible points of entry acceptable.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.