-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potentially Incorrect Expiration Mechanisms #182
Comments
@astutejoe: Ah, you are absolutely correct! I ran into the same issue in my own project but forgot about it because I was able to mitigate against it with other measures. The day expiration comes from the Yeah this is definitely a bug 🐛 |
@tarikki I'll try submitting a pull request today using the same mechanism that is used to expire group memberships (sorted sets). |
Great! I also came up with something to fix this, will try to come back to it after work (timezone Europe/Helsinki). |
@astutejoe there seems to be an issue when using bzpopmin in core.py. The code should be as follows:
|
Very good catch @PelegMedia, I commited a fix. Really appreciate you testing this out for me. |
Hi @astutejoe , We found a problem with one of the usage done with REDIS-lua. It may cause the memory to fill up and possibly reach the maximum memory. REDIS save each script in a cache store (forever), even if you execute it only once. To solve this issue you have to send the parameters as part of the arguments, while keeping the script code identical on each eval. The core.py code uses 3 calls to "eval". The third one, for "group_send_lua" has the problem. I think the best solution will be to pass the "expiry" data as one of the ARGV items. |
@PelegMedia Very good catch!! I'll try introducing that fix later. |
👋 @astutejoe, Gur from Snyk here Would you say this bug has a real security implication? If so, we would like to add it to our vulnerability database. Feel free to reach out at report@snyk.io to provide more details and context. |
I'm having tons of problems with channels on my Redis at the moment, after studying carefully the problem I realized that the expiration mechanisms don't work as I expected, first lemme quote the Django Channels specification so we're on the same page expectations-wise:
Message expiration
From what I saw the message backlog is saved as asgi:specific.$random12 and the TTL of that key is 60 seconds, and its expiry is being reset for every message (https://github.com/django/channels_redis/blob/master/channels_redis/core.py#L306). This leads to the behavior that messages actually last an infinite amount of time as long as there are new messages being sent, not the 60 seconds per message I expected after reading the documentation and all the READMEs.
My problem: a connection isn't cleanly closed so the group membership is not discarded, leaving that connection with a huge backlog (I've set the capacity to 100000, everything else is the default) that only expires after a day (not 60 seconds). This is consuming a lot of Redis memory in my case and even with a default channel capacity can potentially lead to a mild DoS.
I'm using:
channels-redis 2.4.2
channels 2.4.0
django 3.0.4
My structure:
Redis <- Uvicorn <- Gunicorn <- Nginx <- AWS ELB <- AWS CloudFront
Are my assumptions and expectations correct? If so I will start doing some code for channel_redis. Thanks!!
The text was updated successfully, but these errors were encountered: