SNOW-2316658: fixed session token leakage (#930)

Co-authored-by: Harry Xi <[email protected]>

Author: sfc-gh-ext-simba-gc

cpp/logger/SFLogger.cpp

@@ -20,6 +20,18 @@ void log_masked_va_list(FILE* fp, const char *fmt, va_list args)
   sf_fprintf(fp, "%s", maskedMsg.c_str());
 }
 
+void terminal_mask(char *in_data, size_t datasize, char *out_masked, size_t masked_bufsize){
+  if(in_data == NULL || in_data[0] == '\0' || datasize == 0 || out_masked == NULL || masked_bufsize == 0){
+    log_error("Error in masking text on terminal; check values of parameters passed in\n");
+    return;
+  }
+  std::string text(in_data, datasize);
+  std::string maskedMsg = Snowflake::Client::SecretDetector::maskSecrets(text);
+  size_t copysize = (std::min)(masked_bufsize - 1, maskedMsg.length());
+  sf_strncpy(out_masked, masked_bufsize, maskedMsg.c_str(), copysize);
+  out_masked[copysize] = '\0';
+}
+
 std::string Snowflake::Client::SFLogger::getMaskedMsg(const char* fmt, ...)
 {
   va_list args;

cpp/logger/SecretDetector.cpp

@@ -20,7 +20,7 @@ namespace Client
 
   boost::regex SecretDetector::ENCRYPTION_CREDS_IN_JSON_PATTERN = boost::regex("\"(encryptionMaterial|creds)\"\\s*:\\s*\\{.*?\\}", boost::regex::icase);
 
-  boost::regex SecretDetector::TOKEN_IN_JSON_PATTERN = boost::regex("\"(mastertoken|token)\":(\\t|\\s+)\"[a-zA-Z0-9=/_+-:]+\"", boost::regex::icase);
+  boost::regex SecretDetector::TOKEN_IN_JSON_PATTERN = boost::regex("\"?(mastertoken|token|Snowflake Token|oldSessionToken|sessionToken)\"?(\\s*)?(:|=)(\\.*)?(\\t|\\s+)?\"[a-zA-Z0-9=/_+-:]+\"", boost::regex::icase);
 
   std::string SecretDetector::maskAwsKeys(std::string text)
   {

include/snowflake/logger.h

@@ -98,6 +98,8 @@ void log_set_path(const char* path);
 
 void log_close();
 
+void terminal_mask(char *data, size_t size, char* masked, size_t masked_bufsize);
+
 #if defined(__cplusplus)
 }
 #endif

lib/connection.c

@@ -687,7 +687,8 @@ json_copy_string(char **dest, cJSON *data, const char *item) {
         }
         sf_strncpy(*dest, blob_size, blob->valuestring, blob_size);
 
-        if (strcmp(item, "token") == 0 || strcmp(item, "masterToken") == 0) {
+        if (strstr(item, "token") || strstr(item, "Token") || strstr(item, "TOKEN") ||
+            strstr(item, "key") || strstr(item, "Key") || strstr(item, "KEY")) {
             log_debug("Item and Value; %s: ******", item);
         } else {
             log_debug("Item and Value; %s: %s", item, *dest);

lib/http_perform.c

@@ -96,6 +96,8 @@ int my_trace(CURL *handle, curl_infotype type,
     const char *text;
     (void) handle; /* prevent compiler warning */
 
+    char masked[5000] = {'\0'};
+
     switch (type) {
         case CURLINFO_TEXT:
             sf_fprintf(stderr, "== Info: %s", data);
@@ -123,7 +125,8 @@ int my_trace(CURL *handle, curl_infotype type,
             break;
     }
 
-    dump(text, stderr, (unsigned char *) data, size, config->trace_ascii);
+    terminal_mask(data, size, masked, sizeof(masked));
+    dump(text, stderr, (unsigned char *) masked, strlen(masked), config->trace_ascii);
     return 0;
 }
 

tests/test_unit_connect_parameters.c

@@ -235,8 +235,13 @@ void test_connect_with_renew(void** unused) {
 
     // renew session
     CURL* curl = curl_easy_init();
+    sf_bool debug = SF_BOOLEAN_TRUE;
+    // turn on DEBUG mode to test with debug mode logging as well
+    snowflake_global_set_attribute(SF_GLOBAL_DEBUG, &debug);
     sf_bool renew_result = renew_session(curl, sf, &sf->error);
     curl_easy_cleanup(curl);
+    debug = SF_BOOLEAN_FALSE;
+    snowflake_global_set_attribute(SF_GLOBAL_DEBUG, &debug);
     if (!renew_result)
     {
         dump_error(&sf->error);

tests/test_unit_logger.c

@@ -412,6 +412,35 @@ void test_client_config_stdout() {
   remove(configFilePath);
 }
 
+/* Test terminal masking*/
+void test_terminal_mask() {
+  
+  char masked[450] = "\0";
+  char *token = "\"oldSessionToken\":.\"ver:3-hint:92019686956010-ETMsDgAAAZnuCZEqABRBRVMvQ0JDL1BLQ1M1UGFkZGluZwEAABAAEFvTRpZh3vTIN0aeQGHgtZUAAACgEe4rGMIhP+9VB6W02vfgNxd7TzjF7V9CFNiobWsPKfRaVm0e+Pgan+NKiWqJGeYPY0kNDKc+iZZArOgYb3bj0JaU2ovmSRTzEKF4/oQdunFrob66HU+x5piBINNQ327tcSglCOBKxAmjHwQxv+C3t7Yzsaa1I10VUA3fRwGcMlluuCC/7ucFnLUeSESYzImlmWBtftQS/giLDli9CyghpgAUblZOu/WGGryesNxqKCr2qHxYUrQ=\"";  
+  terminal_mask(token, strlen(token), masked, sizeof(masked));
+  assert_string_not_equal(token, masked);
+  
+  char *expected = "\"oldSessionToken\": ****";
+  assert_string_equal(masked, expected);
+
+  char *token1 = "Snowflake Token=\"ver:3-hint:92019686956010-ETMsDgAAAZnuCZDdABRBRVMvQ0JDL1BLQ1M1UGFkZGluZwEAABAAEE8nWQwJCW8y71MmS0MTiQAAADAKKvKBOXVEWiCRMEHtrZlROAljOWTb1wDD6rIgPC8odgqH9ieZZuxfm5GmPkP2DasqFfBMDxk0sw1ZWqE2c7Sos+tUSh09EKraNoANaMSMsL71u7JKMtSIPJ907FVM0xeDw924bYTY1+D3gKvVn93nzdAZto8pOPVs9ag0MlmFrQQH0RLuLAMgAx4ZBkyeoeuTco0A3PNoedb/kvIpfIQWtukVDuXJmCetZQxATxXVuu3cXisGg7I8Mu/VJqd/iABScY0nslPWxaodfF0nwZ4fquJWUaQ==\"";
+  masked[0] = '\0';
+  terminal_mask(token1, strlen(token1), masked, sizeof(masked));
+  expected = "\"Snowflake Token\": ****";
+  assert_string_equal(masked, expected);
+
+  char *token2 = "this text is not meant to be masked";
+  masked[0] = '\0';
+  terminal_mask(token2, strlen(token2), masked, sizeof(masked));
+  assert_string_equal(token2, masked);
+
+  char *token3 = "";
+  masked[0] = '\0';
+  terminal_mask(token3, strlen(token3), masked, sizeof(masked));
+  expected = "";
+  assert_string_equal(masked, expected);
+}
+
 void test_log_creation() {
     char logname[] = "dummy.log";
 
@@ -484,6 +513,7 @@ void test_log_creation_no_permission_to_home_folder(){
   setenv("HOME", homedirOrig, 1);   
 }
 
+
 /**
  * Tests masking secret information in log
  */
@@ -580,6 +610,14 @@ void test_mask_secret_log() {
             "\"masterToken\":\t\"ETM:sDgAAA-XI0IS9NABRBRVMvQ0JDL1BLQ1M1UGFkZGluZwCAABAAEEb/xAQlmT+mwIx9G32E+ikAAACA/CPlEkq//+jWZnQkOj5VhjayruDsCVRGS/B6GzHUugXLc94EfEwuto94gS/oKSVrUg/JRPekypLAx4Afa1KW8n1RqXRF9Hzy1VVLmVEBMtei3yFJPNSHtfbeFHSr9eVB/OL8dOGbxQluGCh6XmaqTjyrh3fqUTWz7+n74+gu2ugAFFZ18iT+DStK0TTdmy4vBC6xUcHQ==\"",
             "\"masterToken\": ****"
         },
+        {//21
+             "\"Snowflake Token\"=\"ver:3-hint:92019686956010-ETMsDgAAAZnuCZDdABRBRVMvQ0JDL1BLQ1M1UGFkZGluZwEAABAAEE8nWQwJCW8+y71MmS0MTiQAAADAKKvKBOXVEWiCRMEHtrZlROAljOWTb1wDD6rIgPC8odgqH9ieZZuxfm5GmPkP2DasqFfBMDxk0sw1ZWqE2c7Sos+tUSh09EKraNoANaMSMsL71u7JKMtSIPJ907FVM0xeDw924bYTY1+D3gKvVn93nzdAZto8pOPVs9ag0Mlm+FrQQH0RLuLAMgAx4ZBkyeoeuTco0A3PNoedb/HkvIpfIQWtukVDuXJmCetZQxATxXVuu3cXisGg7I8Mu/VJqd/iABScY0nslPWxaodfF0nwZ4fquJWUaQ==\"",
+            "\"Snowflake Token\": ****"
+        },
+        {//22
+            "\"oldSessionToken\":.\"ver:3-hint:92019686956010-ETMsDgAAAZnuCZEqABRBRVMvQ0JDL1BLQ1M1UGFkZGluZwEAABAAEFvTRpZh3vTIN0aeQGHgtZUAAACgEe4rGMIhP+9VB6W02vfgNxd7TzjF7V9CFNiobWsPKfRaVm0e+Pgan+NKiWqJGeYPY0kNDKc+iZZArOgYb3bj0JaU2ovmSRTzEKF4/oQdunFrob66HU+x5piBINNQ327tcSglCOBKxAmjHwQxv+C3t7Yzsaa1I10VUA3fRwGcMlluuCC/7ucFnLUeSESYzImlmWBtftQS/giLDli9CyghpgAUblZOu/WGGryesNxqKCr2qHxYUrQ=\"",
+            "\"masterToken\": ****"
+        },
     };
 
     char * line = NULL;
@@ -618,6 +656,7 @@ int main(void) {
         cmocka_unit_test(test_client_config_log_no_level),
         cmocka_unit_test(test_client_config_log_no_path),
         cmocka_unit_test(test_client_config_stdout),
+        cmocka_unit_test(test_terminal_mask),
 #endif
         cmocka_unit_test(test_log_creation),
 #ifndef _WIN32