SNOW-1546127: Fix python connector log leaking token inside http resp…

…onse body (#2011)
snowflakedb · Aug 1, 2024 · 706bc2f · 706bc2f
1 parent 3eaa331
commit 706bc2f
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 2 deletions.
diff --git a/DESCRIPTION.md b/DESCRIPTION.md
@@ -8,6 +8,9 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
 
 # Release Notes
 
+- v3.12.1(TBD)
+  - Fixed a bug that session token is logged when renewing session.
+
 - v3.12.0(July 24,2024)
   - Set default connection timeout of 10 seconds and socket read timeout of 10 minutes for HTTP calls in file transfer.
   - Optimized `to_pandas()` performance by fully parallel downloading logic.

diff --git a/src/snowflake/connector/network.py b/src/snowflake/connector/network.py
@@ -568,7 +568,7 @@ def _token_request(self, request_type):
             token=header_token,
         )
         if ret.get("success") and ret.get("data", {}).get("sessionToken"):
-            logger.debug("success: %s", ret)
+            logger.debug("success: %s", SecretDetector.mask_secrets(str(ret)))
             self.update_tokens(
                 ret["data"]["sessionToken"],
                 ret["data"].get("masterToken"),
@@ -577,7 +577,7 @@ def _token_request(self, request_type):
             logger.debug("updating session completed")
             return ret
         else:
-            logger.debug("failed: %s", ret)
+            logger.debug("failed: %s", SecretDetector.mask_secrets(str(ret)))
             err = ret.get("message")
             if err is not None and ret.get("data"):
                 err += ret["data"].get("errorMessage", "")

diff --git a/test/unit/test_renew_session.py b/test/unit/test_renew_session.py
@@ -5,6 +5,7 @@
 
 from __future__ import annotations
 
+import logging
 from unittest.mock import Mock, PropertyMock
 
 from snowflake.connector.network import SnowflakeRestful
@@ -57,3 +58,51 @@ def fake_request_exec(**_):
     del rest._master_token
     rest._renew_session()
     assert rest._connection.errorhandler.called  # error
+
+
+def test_mask_token_when_renew_session(caplog):
+    caplog.set_level(logging.DEBUG)
+    OLD_SESSION_TOKEN = "old_session_token"
+    OLD_MASTER_TOKEN = "old_master_token"
+    NEW_SESSION_TOKEN = "new_session_token"
+    NEW_MASTER_TOKEN = "new_master_token"
+    connection = mock_connection()
+    connection.errorhandler = Mock(return_value=None)
+    type(connection)._probe_connection = PropertyMock(return_value=False)
+
+    rest = SnowflakeRestful(
+        host="testaccount.snowflakecomputing.com", port=443, connection=connection
+    )
+    rest._token = OLD_SESSION_TOKEN
+    rest._master_token = OLD_MASTER_TOKEN
+
+    # inject a fake method (success)
+    def fake_request_exec(**_):
+        return {
+            "success": True,
+            "data": {
+                "sessionToken": NEW_SESSION_TOKEN,
+                "masterToken": NEW_MASTER_TOKEN,
+            },
+        }
+
+    rest._request_exec = fake_request_exec
+
+    # no secrets recorded when renew succeed
+    rest._renew_session()
+    assert "new_session_token" not in caplog.text
+    assert "new_master_token" not in caplog.text
+    assert "old_session_token" not in caplog.text
+    assert "old_master_token" not in caplog.text
+
+    def fake_request_exec(**_):
+        return {"success": False, "message": "failed to renew session", "code": 987654}
+
+    rest._request_exec = fake_request_exec
+
+    # no secrets recorded when renew failed
+    rest._renew_session()
+    assert "new_session_token" not in caplog.text
+    assert "new_master_token" not in caplog.text
+    assert "old_session_token" not in caplog.text
+    assert "old_master_token" not in caplog.text