search

snowflakedb / snowflake-connector-net

Snowflake Connector for .NET
Apache License 2.0
177 stars 136 forks source link

SNOW-1472918: ADO.NET Driver Security Disclosure Issue #970

Closed sfc-gh-swaswani closed 3 months ago

sfc-gh-swaswani commented 3 months ago

Version of .NET driver - Latest one : 3.1.0

The ConnectionString property in the .NET Connector returns the connection string without obfuscation, which can expose sensitive information. The customer proposes that sensitive information within the connection string be internally encrypted to enhance security, making it harder to discover through memory inspection or dumps.

C# example :

using Snowflake.Data.Client;

namespace ConsoleApp2
{
internal class Program
{
static void Main(string[] args)
{
var con = new SnowflakeDbConnection("ACCOUNT=myAccount;PASSWORD=MyPasswordMustBeSecure;PRIVATE_KEY_PWD=PriveKeypasswordMustBeSecure;TOKEN=MustSecureAlso;PROXYPASSWORD=ProxyPasswordMustBeSecure");
Console.WriteLine($"GET BACK connection string : {con.ConnectionString}");
}
}
}

Output :
GET BACK connection string : ACCOUNT=myAccount;PASSWORD=MyPasswordMustBeSecure;PRIVATE_KEY_PWD=PriveKeypasswordMustBeSecure;TOKEN=MustSecureAlso;PROXYPASSWORD=ProxyPasswordMustBeSecure

You can see that ConnectionString returns the string (the get member) without any obfuscation treatment. https://github.com/snowflakedb/snowflake-connector-net/blob/master/Snowflake.Data/Client/SnowflakeDbConnection.cs#L62-L66

sfc-gh-dszmolka commented 3 months ago

invalid issue, handling this improvement request further internally