Integrity-check for the correlation ID #208
Description
Background
The correlation ID is used for correlating an asynchronous backend response to the original request. The steps involved, in a nutshell:
- A client connects to an endpoint that has
response_fromset to, e.g.,kafka - RIG forwards the request, but before it does that, it adds a so-called "correlation ID" to the request.
- Back-end services do their thing, while retaining that correlation ID. When they're ready to respond, they produce a message to Kafka that contains the correlation ID.
- RIG decodes the correlation ID, which is actually just the process ID of the still-open client connection. With that
pid, RIG can finally forward the response.
This works well, but is implemented in a pretty insecure way - the correlation ID doesn't include a signature of any kind, so RIG basically does an eval on incoming data => bad. Well, actually it's binary_to_term, but still it's quite ugly.
Here's the relevant code:
https://github.com/Accenture/reactive-interaction-gateway/blob/master/apps/rig/lib/rig/connection/codec.ex
How to fix this
The correlation ID doesn't necessarily need to be encrypted, but RIG needs to be able to check the integrity of the string before interpreting it as a process ID. I'd probably go for a signature here, but the algorithm should be chosen by the one who implements this :)