SNOW-2161716: Raise error if the config file is writable by others (#2501)

sfc-gh-gmerticariu · sfc-gh-pczajka · web-flow · commit e3349a3f425f · 2025-10-01T13:22:30.000Z
Co-authored-by: Patryk Czajka &lt;patryk.czajka@snowflake.com&gt;
diff --git a/DESCRIPTION.md b/DESCRIPTION.md
@@ -16,6 +16,8 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
   - Added an option to exclude `botocore` and `boto3` dependencies by setting `SNOWFLAKE_NO_BOTO` environment variable during installation
   - Revert changing exception type in case of token expired scenario for `Oauth` authenticator back to `DatabaseError`
   - Added support for pandas conversion for Day-time and Year-Month Interval types
+  - Enhanced configuration file security checks with stricter permission validation.
+    - Configuration files writable by group or others now raise a `ConfigSourceError` with detailed permission information, preventing potential credential tampering.
   - Fix "No AWS region was found" error if AWS region was set in `AWS_DEFAULT_REGION` variable instead of `AWS_REGION` for `WORKLOAD_IDENTITY` authenticator
   - Add `ocsp_root_certs_dict_lock_timeout` connection parameter to set the timeout (in seconds) for acquiring the lock on the OCSP root certs dictionary. Default value for this parameter is -1 which indicates no timeout.
 
diff --git a/src/snowflake/connector/config_manager.py b/src/snowflake/connector/config_manager.py
@@ -27,7 +27,7 @@
 
 LOGGER = logging.getLogger(__name__)
 READABLE_BY_OTHERS = stat.S_IRGRP | stat.S_IROTH
-
+WRITABLE_BY_OTHERS = stat.S_IWGRP | stat.S_IWOTH
 
 SKIP_WARNING_ENV_VAR = "SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILE"
 
@@ -337,6 +337,18 @@ def read_config(
                 )
                 continue
 
+            # Check for writable by others - this should raise an error
+            if (
+                not IS_WINDOWS  # Skip checking on Windows
+                and sliceoptions.check_permissions  # Skip checking if this file couldn't hold sensitive information
+                and filep.stat().st_mode & WRITABLE_BY_OTHERS != 0
+            ):
+                file_stat = filep.stat()
+                file_permissions = oct(file_stat.st_mode)[-3:]
+                raise ConfigSourceError(
+                    f"file '{str(filep)}' is writable by group or others — this poses a security risk because it allows unauthorized users to modify sensitive settings. Your Permission: {file_permissions}"
+                )
+
             # Check for readable by others or wrong ownership - this should warn
             if (
                 not IS_WINDOWS  # Skip checking on Windows
diff --git a/test/unit/test_configmanager.py b/test/unit/test_configmanager.py
@@ -639,6 +639,60 @@ def test_log_debug_config_file_parent_dir_permissions(tmp_path, caplog):
     shutil.rmtree(tmp_dir)
 
 
+@pytest.mark.skipif(IS_WINDOWS, reason="chmod doesn't work on Windows")
+def test_error_config_file_writable_by_others(tmp_path):
+    c_file = tmp_path / "config.toml"
+    c1 = ConfigManager(file_path=c_file, name="root_parser")
+    c1.add_option(name="b", parse_str=lambda e: e.lower() == "true")
+    c_file.write_text(
+        dedent(
+            """\
+            b = true
+            """
+        )
+    )
+    # Make file writable by others
+    c_file.chmod(stat.S_IRUSR | stat.S_IWUSR | stat.S_IWOTH)
+    file_permissions = oct(c_file.stat().st_mode)[-3:]
+
+    with pytest.raises(
+        ConfigSourceError,
+        match=re.escape(
+            f"file '{str(c_file)}' is writable by group or others — this poses a security risk because it allows unauthorized users to modify sensitive settings. Your Permission: {file_permissions}"
+        ),
+    ):
+        c1["b"]
+
+
+@pytest.mark.skipif(IS_WINDOWS, reason="chmod doesn't work on Windows")
+def test_error_config_file_writable_by_group(tmp_path):
+    c_file = tmp_path / "config.toml"
+    c1 = ConfigManager(file_path=c_file, name="root_parser")
+    c1.add_option(name="b", parse_str=lambda e: e.lower() == "true")
+    c_file.write_text(
+        dedent(
+            """\
+            b = true
+            """
+        )
+    )
+    # Make file writable by group
+    c_file.chmod(stat.S_IRUSR | stat.S_IWUSR | stat.S_IWGRP)
+    file_permissions = oct(c_file.stat().st_mode)[-3:]
+
+    with pytest.raises(
+        ConfigSourceError,
+        match=re.escape(
+            f"file '{str(c_file)}' is writable by group or others — this poses a security risk because it allows unauthorized users to modify sensitive settings. Your Permission: {file_permissions}"
+        ),
+    ):
+        c1["b"]
+
+    # file permissions check can be skipped with unsafe_skip_file_permissions_check flag
+    c1.read_config(skip_file_permissions_check=True)
+    assert c1["b"] is True
+
+
 @pytest.mark.skipif(IS_WINDOWS, reason="chmod doesn't work on Windows")
 def test_skip_warning_config_file_permissions(tmp_path, monkeypatch):
     c_file = tmp_path / "config.toml"
