Describe the bug
SecretStringSliceCSV.Set() in pkg/util/flagext/secretstringslicecsv.go:23 uses strings.Split(s, ","), which preserves empty entries. A stray or trailing comma in -distributor.sign-write-requests-keys (e.g. newkey,, or a fat-fingered newkey, ,oldkey) leaves a "" in the key list.
The ingester's NewStreamSigningServerInterceptor(keys...) then accepts the stream when subtle.ConstantTimeCompare(sig, computeStreamHMAC("", orgID)) == 1. Because orgID here is the worker name (ingester-<addr>-stream-push-worker-<N> — documented in pkg/ingester/ingester.go), it isn't a secret. So an empty key collapses HMAC verification to HMAC-SHA256("", <guessable>), i.e. forgeable with no secret.
The distributor still signs with keys[0], so legitimate traffic flows and the misconfiguration is invisible. Net effect: a single dangling comma silently downgrades V01 stream authentication (PR #7475) to no-auth, re-opening the tenant-impersonation surface that V01 closed.
To Reproduce
- Start Cortex with
-distributor.sign-write-requests=true -distributor.sign-write-requests-keys=newkey, (note the trailing comma).
- From a client that knows the worker-name format, sign a
PushStream request with HMAC-SHA256("", "ingester-<addr>-stream-push-worker-0").
- The ingester accepts the forged signature.
Expected behavior
SecretStringSliceCSV.Set() should TrimSpace each entry and drop or reject empty entries. If trimming leaves zero valid keys, return an error from Set(). Equivalently, the ingester's stream interceptor should refuse to construct over an empty-string key.
Environment:
Additional Context
Describe the bug
SecretStringSliceCSV.Set()inpkg/util/flagext/secretstringslicecsv.go:23usesstrings.Split(s, ","), which preserves empty entries. A stray or trailing comma in-distributor.sign-write-requests-keys(e.g.newkey,, or a fat-fingerednewkey, ,oldkey) leaves a""in the key list.The ingester's
NewStreamSigningServerInterceptor(keys...)then accepts the stream whensubtle.ConstantTimeCompare(sig, computeStreamHMAC("", orgID)) == 1. BecauseorgIDhere is the worker name (ingester-<addr>-stream-push-worker-<N>— documented inpkg/ingester/ingester.go), it isn't a secret. So an empty key collapses HMAC verification toHMAC-SHA256("", <guessable>), i.e. forgeable with no secret.The distributor still signs with
keys[0], so legitimate traffic flows and the misconfiguration is invisible. Net effect: a single dangling comma silently downgrades V01 stream authentication (PR #7475) to no-auth, re-opening the tenant-impersonation surface that V01 closed.To Reproduce
-distributor.sign-write-requests=true -distributor.sign-write-requests-keys=newkey,(note the trailing comma).PushStreamrequest withHMAC-SHA256("", "ingester-<addr>-stream-push-worker-0").Expected behavior
SecretStringSliceCSV.Set()shouldTrimSpaceeach entry and drop or reject empty entries. If trimming leaves zero valid keys, return an error fromSet(). Equivalently, the ingester's stream interceptor should refuse to construct over an empty-string key.Environment:
-distributor.sign-write-requests=true.release-1.21(V01 backport in PR Backport security audit fixes (V01-V07), snappy gRPC fix, and stream push panic fix to release-1.21 #7574).Additional Context
TrimSpaceinSet(), drop empties, error if nothing valid is left. Two test cases (newkey,anda,,b) lock in the behaviour.release-1.21once landed.