Snowflake Golang Driver vulnerable to Command Injection
Description
gosnowflake is th Snowflake Golang driver. Prior to version 1.6.19, a command injection vulnerability exists in the Snowflake Golang driver via single sign-on (SSO) browser URL authentication. In order to exploit the potential for command injection, an attacker would need to be successful in (1) establishing a malicious resource and (2) redirecting users to utilize the resource. The attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. This attack scenario can be mitigated through URL whitelisting as well as common anti-phishing resources. A patch is available in version 1.6.19.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/snowflakedb/gosnowflakeGo | < 1.6.19 | 1.6.19 |
Affected products
1- Range: < 1.6.19
Patches
1e11a2a555f1bSNOW-761744 Added URL Validator and URL Encoder (#757)
2 files changed · +70 −0
url_util.go+29 −0 added@@ -0,0 +1,29 @@ +package gosnowflake + +import ( + "net/url" + "regexp" +) + +var ( + matcher, _ = regexp.Compile(`^http(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z@:])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\&\(\)\/\\\+&%\$#_=@]*)?$`) +) + +func isValidURL(targetURL string) bool { + if !matcher.MatchString(targetURL) { + logger.Infof(" The provided URL is not a valid URL - " + targetURL) + return false + } + return true +} + +func urlEncode(targetString string) string { + // We use QueryEscape instead of PathEscape here + // for consistency across Drivers. For example: + // QueryEscape escapes space as "+" whereas PE + // it as %20F. PE also does not escape @ or & + // either but QE does. + // The behavior of QE in Golang is more in sync + // with URL encoders in Python and Java hence the choice + return url.QueryEscape(targetString) +}
util_test.go+41 −0 modified@@ -230,3 +230,44 @@ func TestGetMin(t *testing.T) { } } } + +type tcURLList struct { + in string + out bool +} + +func TestValidURL(t *testing.T) { + testcases := []tcURLList{ + {"https://ssoTestURL.okta.com", true}, + {"https://ssoTestURL.okta.com:8080", true}, + {"https://ssoTestURL.okta.com/testpathvalue", true}, + {"-a calculator", false}, + {"This is a random test", false}, + {"file://TestForFile", false}, + } + for _, test := range testcases { + result := isValidURL(test.in) + if test.out != result { + t.Errorf("Failed to validate URL, input :%v, expected: %v, got: %v", test.in, test.out, result) + } + } +} + +type tcEncodeList struct { + in string + out string +} + +func TestEncodeURL(t *testing.T) { + testcases := []tcEncodeList{ + {"Hello @World", "Hello+%40World"}, + {"Test//String", "Test%2F%2FString"}, + } + + for _, test := range testcases { + result := urlEncode(test.in) + if test.out != result { + t.Errorf("Failed to encode string, input %v, expected: %v, got: %v", test.in, test.out, result) + } + } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fwv2-65wh-2w8cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-34231ghsaADVISORY
- github.com/snowflakedb/gosnowflake/commit/e11a2a555f1b9f7adc1f01fb7b5e7f38fbbb2a1cghsax_refsource_MISCWEB
- github.com/snowflakedb/gosnowflake/pull/757ghsax_refsource_MISCWEB
- github.com/snowflakedb/gosnowflake/security/advisories/GHSA-fwv2-65wh-2w8cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.