Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNOW-1472918: ADO.NET Driver Security Disclosure Issue #970

Closed
sfc-gh-swaswani opened this issue Jun 11, 2024 · 1 comment
Closed

SNOW-1472918: ADO.NET Driver Security Disclosure Issue #970

sfc-gh-swaswani opened this issue Jun 11, 2024 · 1 comment
Assignees
Labels
invalid status-triage_done Initial triage done, will be further handled by the driver team

Comments

@sfc-gh-swaswani
Copy link

Version of .NET driver - Latest one : 3.1.0

The ConnectionString property in the .NET Connector returns the connection string without obfuscation, which can expose sensitive information.
The customer proposes that sensitive information within the connection string be internally encrypted to enhance security, making it harder to discover through memory inspection or dumps.

C# example :

using Snowflake.Data.Client;

namespace ConsoleApp2
{
internal class Program
{
static void Main(string[] args)
{
var con = new SnowflakeDbConnection("ACCOUNT=myAccount;PASSWORD=MyPasswordMustBeSecure;PRIVATE_KEY_PWD=PriveKeypasswordMustBeSecure;TOKEN=MustSecureAlso;PROXYPASSWORD=ProxyPasswordMustBeSecure");
Console.WriteLine($"GET BACK connection string : {con.ConnectionString}");
}
}
}

Output :
GET BACK connection string : ACCOUNT=myAccount;PASSWORD=MyPasswordMustBeSecure;PRIVATE_KEY_PWD=PriveKeypasswordMustBeSecure;TOKEN=MustSecureAlso;PROXYPASSWORD=ProxyPasswordMustBeSecure

You can see that ConnectionString returns the string (the get member) without any obfuscation treatment.
https://github.com/snowflakedb/snowflake-connector-net/blob/master/Snowflake.Data/Client/SnowflakeDbConnection.cs#L62-L66

@github-actions github-actions bot changed the title ADO.NET Driver Security Disclosure Issue SNOW-1472918: ADO.NET Driver Security Disclosure Issue Jun 11, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka self-assigned this Jun 11, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka added invalid status-triage_done Initial triage done, will be further handled by the driver team labels Jun 11, 2024
@sfc-gh-dszmolka
Copy link
Contributor

sfc-gh-dszmolka commented Jun 11, 2024

invalid issue, handling this improvement request further internally

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
invalid status-triage_done Initial triage done, will be further handled by the driver team
Projects
None yet
Development

No branches or pull requests

2 participants