[Improvement] Errors from connection::parse contain full/partial url in plain text that might contain sensitive data (user, pass)

[gheorghitamutu]

Hello,

Looking at https://github.com/mongodb/mongo-rust-driver/blob/main/driver/src/client/options.rs#L309 I see that here (and in some other places) at least part of the URL is used as message argument.

While this is straightforward I think it might become an issue in production environments if an URL is invalid (not encoded properly or at all, for example) logging secrets/logins/passwords/accounts.

The error can always be handled by the developer (and avoid logging the URL) but I was wondering if a better choice would be not to embed the URL at all into the error message.

Thank you!

[abr-egn]

Thanks for bringing this to our attention! While this is mitigated somewhat because the driver doesn't have any inherent logging, you're right that it's a concern. I've filed https://jira.mongodb.org/browse/RUST-2376 to track this and we'll address it when we can fit it in the development schedule. Alternatively, we always welcome contributions :)