Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move auth check to the front #1475

Open
wants to merge 5 commits into
base: unstable
Choose a base branch
from

Conversation

enjoy-binbin
Copy link
Member

@enjoy-binbin enjoy-binbin commented Dec 23, 2024

When requirepass is enabled, we want command calls to return NOAUTH
instead of ERR with the error message.

Previously, these checks were all before the auth check:

  • command existence exist
  • command arity check
  • command protected check

This may expose information such as whether the server supports the
command, whether the configuration item is enabled, etc. This is more
of a consistency issue as the same error message is returned when
requirepass is enabled, not a security issue.

This is a behavior change, though perhaps not a breaking one.

When requirepass is enabled, we want command calls to return NOAUTH
instead of ERR with the error message. Otherwise this reveals that
we have disabled the configuration in the server side.

Signed-off-by: Binbin <[email protected]>
Copy link

codecov bot commented Dec 23, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.94%. Comparing base (d00c856) to head (bbdba23).
Report is 37 commits behind head on unstable.

Additional details and impacted files
@@             Coverage Diff              @@
##           unstable    #1475      +/-   ##
============================================
+ Coverage     70.86%   70.94%   +0.08%     
============================================
  Files           119      120       +1     
  Lines         64852    65004     +152     
============================================
+ Hits          45958    46120     +162     
+ Misses        18894    18884      -10     
Files with missing lines Coverage Δ
src/networking.c 88.44% <100.00%> (+0.08%) ⬆️
src/server.c 87.58% <100.00%> (+0.11%) ⬆️

... and 56 files with indirect coverage changes

src/server.c Outdated
@@ -4006,21 +4006,6 @@ int processCommand(client *c) {
rejectCommandSds(c, err);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't your argument also extend to these two checks? You can check if the server has passwords enabled by sending both an invalid command or a command that doesn't exist.

127.0.0.1:6379> set Foo
(error) ERR wrong number of arguments for 'set' command
127.0.0.1:6379> set FOO BAR
(error) NOAUTH Authentication required.
127.0.0.1:6379> bah
(error) ERR unknown command 'bah', with args beginning with: 

Seems like we should cover them all.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, I have thought of this too, and think this check can be put in advance, but it makes sense, I will cover them together.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the other hand, this can let people check whether the server supports xxx command

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe AUTH is primarily intended to protect user data. I understand the consistency concern regarding returning the same error message when AUTH is validated, but I don’t see a security issue with revealing a command's presence, arity, or protected status?

BTW, this is a behavior change, though perhaps not a breaking one.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe AUTH is primarily intended to protect user data

i think it should protect everything according to the existing code.

I understand the consistency concern regarding returning the same error message when AUTH is validated, but I don’t see a security issue with revealing a command's presence, arity, or protected status?

yes, it is not a security issue, i just think it's better this way

BTW, this is a behavior change, though perhaps not a breaking one.

yes, it is a behavior change but i guess it is safe.

@enjoy-binbin enjoy-binbin changed the title Move the CMD_PROTECTED check to after the auth check Move auth check to the front Dec 24, 2024
@PingXie PingXie added the release-notes This issue should get a line item in the release notes label Jan 6, 2025
@madolson
Copy link
Member

madolson commented Jan 9, 2025

BTW, this is a behavior change, though perhaps not a breaking one.

I don't think it's a breaking change since it is moving from error -> error case. I would just list it as a release.

I'm also OK with the change atm, but it looks like there are still some tests that need to get fixed.

@zuiderkwast zuiderkwast added the run-extra-tests Run extra tests on this PR (Runs all tests from daily except valgrind and RESP) label Jan 9, 2025
@madolson
Copy link
Member

Maybe we should leave this until 9.0 though, just so that we have the safer boundary of the major version to claim we are making a behavior change. I agree that it makes sense to raise the security bar, but I don't think it's all that important if it's in 8.1 or 9.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-notes This issue should get a line item in the release notes run-extra-tests Run extra tests on this PR (Runs all tests from daily except valgrind and RESP)
Projects
Status: No status
Development

Successfully merging this pull request may close these issues.

4 participants