Skip to content

Snow 2401045 fix vulnerabilities in crl #2584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Oct 23, 2025
Merged

Snow 2401045 fix vulnerabilities in crl #2584

merged 10 commits into from
Oct 23, 2025

Conversation

@sfc-gh-pczajka
Copy link
Collaborator

@sfc-gh-pczajka sfc-gh-pczajka commented Oct 20, 2025
edited
Loading

Fix CRL implementation vulnerabilities described in SNOW-2401045

  1. Remove possibility of checking multiple leaf certificates - made sense as SSL connection returns only one peer certificate
  2. check basicConstraints isCA = true for all certificates except a leaf one
  3. validates certificate expritation time
  4. check CRL IssuingDistributionPoint against the url
  5. refactor validate_connection - remove logic for multiple chains

@sfc-gh-pczajka sfc-gh-pczajka requested a review from a team as a code owner October 20, 2025 15:13
@sfc-gh-pczajka sfc-gh-pczajka marked this pull request as draft October 20, 2025 15:13
@sfc-gh-pczajka sfc-gh-pczajka added NO-CHANGELOG-UPDATES This pull request does not need to update CHANGELOG.md DO_NOT_PORT_CHANGES_TO_SP Add this label when changes in this PR do not need to be port to SP connector labels Oct 21, 2025
@sfc-gh-pczajka sfc-gh-pczajka marked this pull request as ready for review October 21, 2025 11:39
sfc-gh-turbaszek
sfc-gh-turbaszek reviewed Oct 21, 2025
View reviewed changes
sfc-gh-turbaszek
sfc-gh-turbaszek reviewed Oct 21, 2025
View reviewed changes
@sfc-gh-pczajka sfc-gh-pczajka requested a review from a team as a code owner October 21, 2025 14:50
sfc-gh-jkasten
sfc-gh-jkasten approved these changes Oct 21, 2025
View reviewed changes
Copy link
Contributor

@sfc-gh-jkasten sfc-gh-jkasten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thanks @sfc-gh-pczajka!

src/snowflake/connector/crl.py Outdated
Comment on lines 315 to 316
# Check if start certificate is expired
if not self._is_valid(start_cert):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit/optional: I would be tempted to move away from is_valid which generally means more than simply having correct dates. The documentation is very helpful regardless.

Maybe _is_within_lifetime or _is_within_validity_dates?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, changed

src/snowflake/connector/crl.py
Comment on lines +326 to +328
if not self._is_ca_certificate(cert):
logger.warning("Ignoring non-CA certificate: %s", cert)
continue
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also be checking the lifetimes of the intermediates.

I realize we are almost certainly not going to get attacked by an expired leaked intermediate, but it should be cheap to add and would be closer to spec.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the catch! I've overlooked this - fixed the check and tests

src/snowflake/connector/crl.py Outdated
if issue_date.tzinfo is None:
issue_date = issue_date.replace(tzinfo=timezone.utc)
issue_date, expiry_date = CRLValidator._get_certificate_validity_dates(cert)
validity_period = expiry_date - issue_date
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: the notAfter date is inclusive so this calculation is off by one [text from RFC 5280]. I think your code falls on the safe side and CAs worth their salt say away from the edges, but we should probably fix it to show competence.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

@sfc-gh-pczajka sfc-gh-pczajka merged commit 8b1fd71 into main Oct 23, 2025
104 of 111 checks passed
@sfc-gh-pczajka sfc-gh-pczajka deleted the SNOW-2401045-fix-vulnerabilities-in-CRL branch October 23, 2025 08:28
@github-actions github-actions bot locked and limited conversation to collaborators Oct 23, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@sfc-gh-turbaszek sfc-gh-turbaszek sfc-gh-turbaszek approved these changes

@sfc-gh-jkasten sfc-gh-jkasten sfc-gh-jkasten approved these changes

Assignees

No one assigned

Labels

DO_NOT_PORT_CHANGES_TO_SP Add this label when changes in this PR do not need to be port to SP connector NO-CHANGELOG-UPDATES This pull request does not need to update CHANGELOG.md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sfc-gh-pczajka @sfc-gh-turbaszek @sfc-gh-jkasten