Description
Please answer these questions before submitting your issue. Thanks!
- What version of Python are you using?
Python 3.10.9 (main, Jan 4 2023, 13:09:43) [Clang 14.0.0 (clang-1400.0.29.202)]
- What operating system and processor architecture are you using?
macOS-13.1-x86_64-i386-64bit
- What are the component versions in the environment (
pip freeze)?
Snowflake connector from the main branch, v3.0.1 (a dockerized env with dir bindings).
- What did you do?
We observed the JWT tokens leaked to the logs when the authentication is already performed but there are connectivity issues or Snowflake responds with some partial responses (also perhaps networking issues).
This only happens for connections with keypair authentication, not with the password authentication.
The logs look like:
[PID:33][ERROR][snowflake.connector.network] Failed to get the response. Hanging? method: post, url: https://REDACTED.snowflakecomputing.com:443/session/v1/login-request?request_id=a4a1e4a8-7b13-4414-a6f4-86b762e8e5cd&databaseName=REDACTED&schemaName=REDACTED&warehouse=REDACTED&roleName=REDACTED&request_guid=95d4529a-afee-49b7-b686-3682ff5e4425, headers:{'Content-Type': 'application/json', 'accept': 'application/snowflake', 'User-Agent': 'PythonConnector/3.0.1 (Linux-5.15.49-linuxkit-x86_64-with-glibc2.31) CPython/3.10.9', 'Content-Encoding': 'gzip'}, data: {"data": {"CLIENT_APP_ID": "PythonConnector", "CLIENT_APP_VERSION": "3.0.1", "SVN_REVISION": null, "ACCOUNT_NAME": "REDACTED", "LOGIN_NAME": "REDACTED", "CLIENT_ENVIRONMENT": {"APPLICATION": "REDACTED", "OS": "Linux", "OS_VERSION": "Linux-5.15.49-linuxkit-x86_64-with-glibc2.31", "PYTHON_VERSION": "3.10.9", "PYTHON_RUNTIME": "CPython", "PYTHON_COMPILER": "GCC 10.2.1 20210110", "OCSP_MODE": "FAIL_OPEN", "TRACING": 40, "LOGIN_TIMEOUT": 120, "NETWORK_TIMEOUT": null}, "AUTHENTICATOR": "SNOWFLAKE_JWT", "TOKEN": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpcREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTED…………………………J5449zqA", "SESSION_PARAMETERS": {"CLIENT_PREFETCH_THREADS": 4}}}
When there are no networking issues, the token is not leaked, so it is sporadic, not artificially reproducible.
If you want to reproduce the leak, comment out the lines in SnowflakeRestful._request_exec_wrapper():
# if return_object is not None:
# return return_object
self._handle_unknown_error(method, full_url, headers, data, conn)- What did you expect to see?
No secret credentials leaked.
Even if the JWT token is valid for 1 minute, ths might be enough for a hacker to parse it from the logs (or log services) and reuse to access the data, potentially to modify the user's credentials.
A PR is coming in a few minutes.