Handle tls connection during cancellation #227
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
seriyps
requested changes
Mar 20, 2020
…o make use of the newly introduced fun, open_socket
…he epgsql_sock state
enidgjoleka
force-pushed
the
handle-tls-connection-during-cancellation
branch
from
8826bac
to
0709950
Compare
enidgjoleka
commented
Mar 25, 2020
seriyps
approved these changes
Mar 25, 2020
| Self = self(), | ||
| spawn_link(fun() -> | ||
| ?assertMatch(?QUERY_CANCELED, Module:equery(C, "SELECT pg_sleep(5)")), | ||
| Self ! done |
There was a problem hiding this comment.
another option is to send the result to Self and assert in receiver:
Self ! {done, Module:equery(C, "..")}
end,
<..>
receive {done, Result} ->
?assertMatch(?QUERY_CANCELLED, Result)
after ....
…uced tests, handle open_socket/x results better while cancelling the query
enidgjoleka
force-pushed
the
handle-tls-connection-during-cancellation
branch
from
07cd20f
to
4ae561e
Compare
|
It would be nice if I could get some traction on this PR. |
|
Merged! Sorry for the slow response. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
Looking at the
epgsql:cancel/xit appears likeepgsqlopens a new temporary TCP connection and sends the cancellation request. This is fine for applications which uses normal non-TLS connections.However, if we are dealing with an application which uses TLS connections for all its queries except for the cancellation request then we might open ourselves to the man-in-the-middle-attack.
The attacker can in theory listen to our cancellation request and detect the previously generated secret key during the connection establishment of the original connection.
Once the attacker gets hold of that key while the original connection can still accept queries even after its last query was cancelled then the attacker can in theory cancel all the queries fired from the original connection.
This PR tries to address this issue.
I decided to rewrite part of
epgsql_cmd_connectto better decouple opening a socket with the rest of the logic. This newly introduced function,open_socket/x, was then called fromepgsql_sock.erlduring the cancellation.Please let me know if I missed something!