GEODE-9676: Limit array and string sizes for unauthenticated Radish connections #6994
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jdeppe-pivotal
requested review from
DonalEvans,
dschneider-pivotal,
kirklund,
nonbinaryprogrammer,
ringles and
upthewaterspout
as code owners
DonalEvans
approved these changes
Oct 13, 2021
...st/java/org/apache/geode/redis/internal/executor/connection/AbstractAuthIntegrationTest.java
Outdated
Show resolved
Hide resolved
...st/java/org/apache/geode/redis/internal/executor/connection/AbstractAuthIntegrationTest.java
Outdated
Show resolved
Hide resolved
...for-redis/src/main/java/org/apache/geode/redis/internal/services/SecurityServiceWrapper.java
Outdated
Show resolved
Hide resolved
...for-redis/src/main/java/org/apache/geode/redis/internal/services/SecurityServiceWrapper.java
Outdated
Show resolved
Hide resolved
dschneider-pivotal
requested changes
Oct 18, 2021
...for-redis/src/main/java/org/apache/geode/redis/internal/services/SecurityServiceWrapper.java
Outdated
Show resolved
Hide resolved
…onnections - This applies the same fix as introduced by CVE-2021-32675 for Redis. Unuathenticated requests limit the size of arrays and bulk strings to 10 and 16384 respectively. Once connections are authenticated, the size restriction is not applied. - Re-enable the relevant Redis TCL test.
jdeppe-pivotal
force-pushed
the
feature/GEODE-9676-unauthd-multibulk
branch
from
e403c0f
to
36fac97
Compare
upthewaterspout
approved these changes
Oct 18, 2021
| @@ -45,12 +50,27 @@ | |||
| */ | |||
| public class ByteToCommandDecoder extends ByteToMessageDecoder { | |||
|
|
|||
| public static final String UNAUTHENTICATED_MAX_ARRAY_SIZE_PARAM = | |||
| "gemfire.geode-for-redis-unauthenticated-max-array-size"; | |||
There was a problem hiding this comment.
I wonder if these properties should be prefixed geode. and not gemfire.?
...st/java/org/apache/geode/redis/internal/executor/connection/AbstractAuthIntegrationTest.java
Show resolved
Hide resolved
dschneider-pivotal
approved these changes
Oct 18, 2021
demery-pivotal
pushed a commit
to demery-pivotal/geode
that referenced
this pull request
Oct 19, 2021
…onnections (apache#6994) - This applies the same fix as introduced by CVE-2021-32675 for Redis. When security is enabled, unuauthenticated requests limit the size of arrays and bulk strings to 10 and 16384 respectively. Once connections are authenticated, the size restriction is not applied. - When security is not enabled, this restriction does not apply. - Re-enable the relevant Redis TCL test.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When security is enabled, unauthenticated requests limit the size of
arrays and bulk strings to 10 and 16384 respectively. Once connections
are authenticated, the size restriction is not applied.
For all changes:
Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
Has your PR been rebased against the latest commit within the target branch (typically
develop)?Is your initial contribution a single, squashed commit?
Does
gradlew buildrun cleanly?Have you written or updated unit tests to verify your changes?
If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?