SNOW-2306184: config refactor - ensure file permissions checks

sfc-gh-mraba · sfc-gh-mraba · commit 995f91aada96 · 2025-11-18T10:34:55.000+01:00
diff --git a/src/snowflake/cli/api/config_ng/sources.py b/src/snowflake/cli/api/config_ng/sources.py
@@ -37,10 +37,28 @@
 
 from snowflake.cli.api.config_ng.constants import SNOWFLAKE_HOME_ENV
 from snowflake.cli.api.config_ng.core import SourceType, ValueSource
+from snowflake.cli.api.exceptions import ConfigFileTooWidePermissionsError
+from snowflake.cli.api.secure_utils import file_permissions_are_strict
+from snowflake.connector.compat import IS_WINDOWS
 
 log = logging.getLogger(__name__)
 
 
+def _ensure_strict_file_permissions(config_file: Path) -> None:
+    """
+    Validate that configuration files have strict permissions before reading.
+
+    Raises:
+        ConfigFileTooWidePermissionsError: If permissions are too wide on non-Windows.
+    """
+
+    if IS_WINDOWS or not config_file.exists():
+        return
+
+    if not file_permissions_are_strict(config_file):
+        raise ConfigFileTooWidePermissionsError(config_file)
+
+
 class SnowSQLSection(Enum):
     """
     SnowSQL configuration file section names.
@@ -153,6 +171,7 @@ def _read_and_merge_files(self) -> str:
 
         for config_file in self._config_paths:
             if config_file.exists():
+                _ensure_strict_file_permissions(config_file)
                 try:
                     merged_config.read(config_file)
                 except Exception as e:
@@ -273,6 +292,7 @@ def _read_first_file(self) -> str:
         """
         for config_file in self._search_paths:
             if config_file.exists():
+                _ensure_strict_file_permissions(config_file)
                 try:
                     return config_file.read_text()
                 except Exception as e:
@@ -387,6 +407,7 @@ def discover(self, key: Optional[str] = None) -> Dict[str, Any]:
         else:
             if not self._file_path.exists():
                 return {}
+            _ensure_strict_file_permissions(self._file_path)
             try:
                 content = self._file_path.read_text()
             except Exception as e:
diff --git a/tests/config_ng/conftest.py b/tests/config_ng/conftest.py
@@ -24,9 +24,17 @@
 from contextlib import contextmanager
 from pathlib import Path
 from textwrap import dedent
-from typing import Dict, Optional
+from typing import Dict, Literal, Optional
 
 import pytest
+from snowflake.connector.compat import IS_WINDOWS
+
+STRICT_FILE_PERMISSIONS: Literal[0o600] = 0o600
+
+
+def _restrict_permissions(path: Path) -> None:
+    if not IS_WINDOWS:
+        path.chmod(STRICT_FILE_PERMISSIONS)
 
 
 @contextmanager
@@ -96,13 +104,17 @@ def _setup(
 
             # Write config files if provided
             if snowsql_config:
-                (snowflake_home / "config").write_text(dedent(snowsql_config))
+                snowsql_path = snowflake_home / "config"
+                snowsql_path.write_text(dedent(snowsql_config))
+                _restrict_permissions(snowsql_path)
             if cli_config:
-                (snowflake_home / "config.toml").write_text(dedent(cli_config))
+                cli_config_path = snowflake_home / "config.toml"
+                cli_config_path.write_text(dedent(cli_config))
+                _restrict_permissions(cli_config_path)
             if connections_toml:
-                (snowflake_home / "connections.toml").write_text(
-                    dedent(connections_toml)
-                )
+                connections_path = snowflake_home / "connections.toml"
+                connections_path.write_text(dedent(connections_toml))
+                _restrict_permissions(connections_path)
 
             # Prepare environment variables
             env_to_set = {
diff --git a/tests/config_ng/test_sources.py b/tests/config_ng/test_sources.py
@@ -14,11 +14,18 @@
 
 """Tests for configuration sources with string-based testing."""
 
+from typing import Literal
+
+import pytest
 from snowflake.cli.api.config_ng.sources import (
     CliConfigFile,
     ConnectionsConfigFile,
     SnowSQLConfigFile,
 )
+from snowflake.cli.api.exceptions import ConfigFileTooWidePermissionsError
+from snowflake.connector.compat import IS_WINDOWS
+
+INSECURE_FILE_PERMISSIONS: Literal[0o644] = 0o644
 
 
 class TestSnowSQLConfigFileFromString:
@@ -378,3 +385,51 @@ def test_non_connections_file_marker(self):
             not hasattr(snowsql_source, "is_connections_file")
             or not snowsql_source.is_connections_file
         )
+
+
+@pytest.mark.skipif(IS_WINDOWS, reason="Permission checks disabled on Windows")
+class TestFilePermissionValidation:
+    def test_snowsql_config_raises_on_insecure_file(self, tmp_path):
+        config_path = tmp_path / "snowsql.cnf"
+        config_path.write_text(
+            """
+[connections.test]
+accountname = test_account
+"""
+        )
+        config_path.chmod(INSECURE_FILE_PERMISSIONS)
+
+        source = SnowSQLConfigFile(config_paths=[config_path])
+
+        with pytest.raises(ConfigFileTooWidePermissionsError):
+            source.discover()
+
+    def test_cli_config_raises_on_insecure_file(self, tmp_path):
+        config_path = tmp_path / "config.toml"
+        config_path.write_text(
+            """
+[connections.test]
+account = "cli-account"
+"""
+        )
+        config_path.chmod(INSECURE_FILE_PERMISSIONS)
+
+        source = CliConfigFile(search_paths=[config_path])
+
+        with pytest.raises(ConfigFileTooWidePermissionsError):
+            source.discover()
+
+    def test_connections_config_raises_on_insecure_file(self, tmp_path):
+        config_path = tmp_path / "connections.toml"
+        config_path.write_text(
+            """
+[connections.test]
+account = "connections-account"
+"""
+        )
+        config_path.chmod(INSECURE_FILE_PERMISSIONS)
+
+        source = ConnectionsConfigFile(file_path=config_path)
+
+        with pytest.raises(ConfigFileTooWidePermissionsError):
+            source.discover()
