Summary: This post explains the details of an exponential ReDoS (Regular Expression Denial of Service) vulnerability that can be triggered in the snowflake-connector-python PyPI package. The vulnerability is located in the undocumented get_file_transfer_type method, which can be exploited when an attacker is able to supply arbitrary input to it. This post includes code snippets, links to original references, and exploit details.

Introduction

The snowflake-connector-python package is a popular Python connector for Snowflake, a widely used database management and processing platform. Recently, a vulnerability was discovered in the get_file_transfer_type method, providing an attacker with the ability to trigger an exponential ReDoS attack.

CVE-2022-42965 - The Vulnerability

The vulnerability is an exponential ReDoS attack where a specially crafted input provided to the get_file_transfer_type method can cause the application to consume a large amount of system resources, ultimately leading to a denial of service situation.

The problematic code snippet in the get_file_transfer_type method

def get_file_transfer_type(self, user_supplied_input):
    regex_pattern = r'(?i)(^[^\/:]*?):?(\/\/|\\)|([\\\\:])?'
    typ = re.search(regex_pattern, user_supplied_input).group(1)
    return typ.lower() if typ else None

Exploit Details

As seen from the regex pattern in the code snippet above, if an attacker is able to supply arbitrary input to the get_file_transfer_type method, they may be able to exploit this vulnerability to cause a denial of service situation in the application.

For example, an attacker could supply a long string with a large number of repeated forward slashes, such as:

malicious_input = 'a://' + '/' * 100000

When this malicious input is passed to the get_file_transfer_type method, the processing time and resource usage will exponentially grow depending on the number of repeated slashes in the string, causing the application to become unresponsive.

Mitigation

The best way to mitigate this vulnerability is to update the snowflake-connector-python package to the latest version (>=2.7.2), which contains the fix for CVE-2022-42965.

However, if updating the package is not immediately possible, you can implement a temporary workaround by validating and sanitizing the user input before passing it to the get_file_transfer_type method, thus preventing the attacker from supplying malicious input.

1. CVE-2022-42965: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42965
2. Snowflake Connector for Python: https://pypi.org/project/snowflake-connector-python/
3. Snowflake Database: https://www.snowflake.com/
4. NVD Vulnerability Details: https://nvd.nist.gov/vuln/detail/CVE-2022-42965

Conclusion

This post explains the vulnerability CVE-2022-42965, an exponential ReDoS attack in the snowflake-connector-python PyPI package. It includes code snippets, original references, and exploit details, as well as the available mitigation strategy. Users of the snowflake-connector-python package are highly encouraged to update to the latest version to avoid potential denial of service situations caused by this vulnerability.

Timeline

Published on: 11/09/2022 20:15:00 UTC
Last modified on: 12/02/2022 22:46:00 UTC