Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNOW-690680: Support SecretStr/SecretBytes or equivalent to avoid password/private key being exposed in failed test #1323

Open
tekumara opened this issue Nov 8, 2022 · 1 comment
Open

SNOW-690680: Support SecretStr/SecretBytes or equivalent to avoid password/private key being exposed in failed test #1323

tekumara opened this issue Nov 8, 2022 · 1 comment
Labels
feature triaged

Comments

@tekumara
Copy link
Contributor

tekumara commented Nov 8, 2022
edited
Loading

What is the current behavior?

By default pytest will log function parameter values in stack traces.

So when failing to connect to snowflake (eg: due to a timeout, network error etc.) the password is exposed in plain text.

eg:

self = <snowflake.connector.network.SnowflakeRestful object at 0x155972a90>, session = <snowflake.connector.vendored.requests.sessions.Session object at 0x155972df0>
method = 'post'
full_url = 'https://foobar.ap-southeast-2.snowflakecomputing.com:443/session/v1/login-request?request_id=e041f9de-8e53-488e-b752-...e=PROD_JAFFLES&warehouse=PROD_JAFFLES_WH&roleName=PROD_JAFFLES_ADMIN&request_guid=dbb732e6-f52a-4d67-8a6c-ca914cc4fe4f'
headers = {'Content-Encoding': 'gzip', 'Content-Type': 'application/json', 'User-Agent': 'PythonConnector/2.8.1 (macOS-12.6-arm64-arm-64bit) CPython/3.9.13', 'accept': 'application/snowflake'}
data = '{"data": {"CLIENT_APP_ID": "PythonConnector", "CLIENT_APP_VERSION": "2.8.1", "SVN_REVISION": null, "ACCOUNT_NAME": "f...EOUT": 120, "NETWORK_TIMEOUT": null}, "PASSWORD": "TOPSECERET", "SESSION_PARAMETERS": {"CLIENT_PREFETCH_THREADS": 4}}}'
retry_ctx = <snowflake.connector.network.SnowflakeRestful.fetch.<locals>.RetryCtx object at 0x155972fa0>, no_retry = False, token = None, kwargs = {'socket_timeout': 120}

What is the desired behavior?

Password can be provided as SecretStr, and private key can be provided as SecretBytes (or equivalent). This will ensure their value is obfuscated when printed in a stack trace.

How would this improve snowflake-connector-python?

Make it more secure.

References, Other Background

This feature request is triggered by a recent security incident in which our account admin password was leaked into our CI logs 😬
@github-actions github-actions bot changed the title Support SecretStr/SecretBytes or equivalent to avoid password/private key being exposed in failed test SNOW-690680: Support SecretStr/SecretBytes or equivalent to avoid password/private key being exposed in failed test Nov 8, 2022
@mark-oppenheim
Copy link

The solution proposed here looks incorrect - pytest does not use pydantic for logging. A simple solution to the issue is to configure pytest to use short stack traces (which disables the parameter dumps) for any server based runs (--tb=short)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tekumara @mark-oppenheim @sfc-gh-mkeller @sfc-gh-yixie