fix: Prevent panic in GetMetrics gRPC handler on invalid input#1291
Merged
fix: Prevent panic in GetMetrics gRPC handler on invalid input#1291
Conversation
Replace unwrap() with proper error handling in get_metrics method to avoid panic on malformed input. Return error responses instead of crashing the worker thread, improving service stability and preventing DoS attacks. - Use Result matching for MetricType and CollectMetricsOpts deserialization - Add error logging for debugging - Return structured error responses on failure
Contributor
Dependency ReviewThe following issues were found:
License IssuesCargo.lock
OpenSSF ScorecardScorecard details
Scanned Files
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a critical security vulnerability where malformed gRPC GetMetrics requests could cause a panic in the handler thread due to unchecked unwrap() on deserialization. Additionally, it refactors the Credentials struct into a new dedicated crate (rustfs-credentials) to improve code organization and reduce circular dependencies, and enhances gRPC authentication by making the auth token configurable via environment variable.
Key Changes:
- Replaced
unwrap()with proper error handling inget_metricsgRPC handler to prevent DoS attacks - Extracted
Credentialsstruct and related functions into newrustfs-credentialscrate - Made gRPC auth token configurable via
RUSTFS_GRPC_AUTH_TOKENenvironment variable with secure fallback
Reviewed changes
Copilot reviewed 35 out of 38 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| rustfs/src/storage/tonic_service.rs | Added graceful error handling for metric_type and opts deserialization, preventing panics on invalid input with proper error responses and logging |
| rustfs/src/storage/ecfs.rs | Updated import to use rustfs_credentials::Credentials instead of rustfs_policy::auth::Credentials |
| rustfs/src/storage/access.rs | Updated Credentials type references and removed redundant rustfs_policy::auth import |
| rustfs/src/server/http.rs | Enhanced gRPC auth token handling with environment variable support and secure fallback mechanism |
| rustfs/src/main.rs | Updated to use rustfs_credentials::init_global_action_credentials instead of rustfs_ecstore version |
| rustfs/src/auth.rs | Updated all Credentials imports and added comprehensive documentation for authentication helper functions |
| rustfs/src/admin/handlers/*.rs | Updated imports across admin handlers to use rustfs_credentials::get_global_action_cred |
| rustfs/Cargo.toml | Added rustfs-credentials dependency to main rustfs crate |
| crates/utils/src/lib.rs | Made obj module conditional on "obj" feature flag for better feature management |
| crates/utils/Cargo.toml | Added "obj" feature flag and updated "full" feature to include it |
| crates/protos/src/lib.rs | Enhanced gRPC client authentication with configurable token via environment variable |
| crates/protos/Cargo.toml | Added rustfs-config and rustfs-credentials dependencies |
| crates/policy/src/auth/mod.rs | Updated to import Credentials from rustfs_credentials and added documentation for UserIdentity constructor |
| crates/policy/src/auth/credentials.rs | Removed Credentials struct definition (moved to rustfs-credentials), retained credential generation and validation functions |
| crates/policy/Cargo.toml | Added rustfs-credentials dependency |
| crates/iam/src/sys.rs | Updated to use rustfs_credentials::Credentials and get_global_action_cred |
| crates/iam/src/store/object.rs | Updated import to use rustfs_credentials::get_global_action_cred |
| crates/iam/src/manager.rs | Updated Credentials imports to use rustfs_credentials |
| crates/iam/Cargo.toml | Added rustfs-credentials dependency |
| crates/filemeta/src/replication.rs | Migrated from lazy_static to std::sync::LazyLock for REPL_STATUS_REGEX |
| crates/filemeta/Cargo.toml | Removed lazy_static dependency (replaced with std::sync::LazyLock) |
| crates/ecstore/src/rpc/http_auth.rs | Updated import to use rustfs_credentials::get_global_action_cred |
| crates/ecstore/src/global.rs | Removed Credentials-related code (moved to rustfs-credentials crate) |
| crates/ecstore/README_cn.md | Deleted Chinese documentation file |
| crates/ecstore/Cargo.toml | Added rustfs-credentials dependency and reorganized dependencies for better clarity |
| crates/credentials/src/lib.rs | New module entry point that re-exports credentials module |
| crates/credentials/src/credentials.rs | New file containing Credentials struct and global credential management functions |
| crates/credentials/Cargo.toml | New crate manifest for rustfs-credentials |
| crates/config/src/constants/app.rs | Added ENV_GRPC_AUTH_TOKEN constant for configurable gRPC authentication |
| Cargo.toml | Added rustfs-credentials to workspace members and dependencies |
| Cargo.lock | Updated lockfile with rustfs-credentials and related dependency changes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
15 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 37 out of 39 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ler (#1292) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: houseme <4829346+houseme@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 38 out of 40 changed files in this pull request and generated 7 comments.
Comments suppressed due to low confidence (1)
crates/ecstore/README_cn.md:1
- The deletion of
README_cn.md(Chinese documentation) appears unrelated to the stated PR purpose of fixing a security vulnerability in the GetMetrics gRPC handler. Consider moving this change to a separate PR focused on documentation cleanup to keep changes focused and easier to review.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 42 out of 44 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
lgpseu
pushed a commit
to lgpseu/rustfs
that referenced
this pull request
Dec 31, 2025
…s#1291) Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: houseme <4829346+houseme@users.noreply.github.com>
houseme
added a commit
that referenced
this pull request
Jan 7, 2026
* 'main' of github.com:rustfs/rustfs: fix: Prevent panic in GetMetrics gRPC handler on invalid input (#1291) Modular Makefile (#1288) fix:ListObjects and ListObjectV2 correctly handles unordered and delimiter (#1285) fix: ensure version_id is returned in S3 response headers (#1272) feat: add function to extract user-defined metadata keys and integrat… (#1281) helm: update default Chart.yaml, appVersion version bump, add appVersion as a default image tag (#1247) fix:affinity.podAntiAffinity.enabled value not taking effect (#1280) fix: prevent PV/PVC deletion during rustfs uninstallation (#1279) # Conflicts: # Cargo.lock
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of Change
Summary of Changes
This PR addresses a security vulnerability where malformed gRPC GetMetrics requests could cause a panic in the handler thread due to unchecked
unwrap()on deserialization. The fix replacesunwrap()with properResulthandling, returning error responses instead of crashing, thus preventing remote denial of service attacks.Key Changes:
get_metricsinrustfs/src/storage/tonic_service.rsto handle deserialization failures gracefully.Checklist
make pre-commitImpact
Additional Notes