RUBY-3832 Raise on invalid tls/ssl boolean URI option#3064
Merged
comandeo-mongo merged 1 commit intoJun 17, 2026
Conversation
An unrecognized value for the tls or ssl URI option (e.g. tls=yes, tls=1, tls=on) was warned about and discarded, leaving :ssl nil. The connection then fell back to a plaintext TCP socket, so a typo could silently send traffic and credentials unencrypted against a server that does not enforce TLS server-side. convert_repeated_bool now preserves an invalid value as a nil element instead of warning and dropping it, and URI#validate_uri_options! raises Mongo::Error::InvalidURI when the tls/ssl value did not parse. Scope is limited to tls and ssl, the only options that fail open to plaintext. The other TLS boolean options (tlsInsecure, tlsAllowInvalidCertificates, tlsAllowInvalidHostnames, tlsDisableOCSPEndpointCheck) keep the lenient warn-and-default behavior: they fail secure on an invalid value, and the upstream unified spec tests assert warn-not-raise for them.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens MongoDB URI parsing by refusing invalid tls/ssl boolean values (e.g., tls=yes) that previously resulted in :ssl being unset and the driver potentially connecting over plaintext. It raises Mongo::Error::InvalidURI during URI parsing instead of warning and silently downgrading.
Changes:
- Preserve invalid
tls/sslvalues asnilsentinels during repeated-boolean conversion so they can be detected later. - Add URI validation to raise
InvalidURIwhen parsedtls/sslvalues contain an invalid element (nil). - Add a shared spec (
'a strict boolean option') and apply it totlsandssl.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
lib/mongo/uri/options_mapper.rb |
Adjusts repeated-boolean parsing for tls/ssl to preserve invalid values as nil for downstream validation. |
lib/mongo/uri.rb |
Raises InvalidURI when tls/ssl contains invalid boolean values, preventing silent plaintext fallback. |
spec/mongo/uri_option_parsing_spec.rb |
Adds/uses a strict boolean shared example to assert invalid tls/ssl values raise parse errors. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jamis
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
An invalid value for the
tlsorsslURI option (a typo such astls=yes,tls=1,tls=on) was warned about and discarded, leaving:sslasnil.Address::IPv4#socketevaluatesif options[:ssl], sonilis falsy and the driver opened a plaintext TCP socket. Against a server that does not enforce TLS server-side, the application connected successfully over plaintext with only a log line — credentials and traffic exposed. (RUBY-3832)This now raises
Mongo::Error::InvalidURIinstead of silently downgrading.How
OptionsMapper#convert_repeated_bool(used only bytls/ssl) preserves an invalid value as anilelement rather than warning and dropping it.URI#validate_uri_options!raisesMongo::Error::InvalidURIwhen the parsedtls/sslvalue contains anil, alongside the existing tls/ssl conflict checks.Scope decision
Limited to
tlsandssl— the only boolean options that fail open (to plaintext). The other TLS boolean options keep the lenient warn-and-default behavior because:tlsInsecure,tlsAllowInvalidCertificates,tlsAllowInvalidHostnames,tlsDisableOCSPEndpointCheckinvalid →nil→ secure default, verification stays on).uri-options/tests/tls-options.yml) explicitly assertvalid: true, warning: truefor invalidtlsAllowInvalidCertificates/tlsAllowInvalidHostnames/tlsInsecure. Raising for those would diverge from the spec tests. There is no upstream fixture for invalidtls/ssl, so raising there is spec-safe.Python and Go also raise on invalid
tls/ssl; pymongo achieves the spec-test warnings via a separatewarn=Truemode, which the Ruby driver does not have.Breaking change
Applications currently passing invalid TLS boolean values (
tls=yes, etc.) connect over plaintext today while believing they have TLS. They will now fail fast at URI parse time. This surfaces a pre-existing misconfiguration; it does not introduce a new failure mode.Files changed
lib/mongo/uri/options_mapper.rb—convert_repeated_boolpreserves invalid value asnillib/mongo/uri.rb—validate_uri_options!raises on invalidtls/sslspec/mongo/uri_option_parsing_spec.rb— new'a strict boolean option'shared example coveringtls/sslTest plan
bundle exec rspec spec/mongo/uri_option_parsing_spec.rb spec/mongo/uri_spec.rb spec/spec_tests/uri_options_spec.rb— 730 examples, 0 failures (inverse_bool warn fixtures still pass)bundle exec rspec spec/integration/ssl_uri_options_spec.rb— passesbundle exec rubocopon changed files — no offensestls=yesraisesInvalidURI;tls=true/falseand absent parse as before;tlsInsecure=foostill warns + secure defaultRUBY-3832