-
Notifications
You must be signed in to change notification settings - Fork 696
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move auth check to the front #1475
base: unstable
Are you sure you want to change the base?
Move auth check to the front #1475
Conversation
When requirepass is enabled, we want command calls to return NOAUTH instead of ERR with the error message. Otherwise this reveals that we have disabled the configuration in the server side. Signed-off-by: Binbin <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## unstable #1475 +/- ##
============================================
+ Coverage 70.86% 70.94% +0.08%
============================================
Files 119 120 +1
Lines 64852 65004 +152
============================================
+ Hits 45958 46120 +162
+ Misses 18894 18884 -10
|
src/server.c
Outdated
@@ -4006,21 +4006,6 @@ int processCommand(client *c) { | |||
rejectCommandSds(c, err); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't your argument also extend to these two checks? You can check if the server has passwords enabled by sending both an invalid command or a command that doesn't exist.
127.0.0.1:6379> set Foo
(error) ERR wrong number of arguments for 'set' command
127.0.0.1:6379> set FOO BAR
(error) NOAUTH Authentication required.
127.0.0.1:6379> bah
(error) ERR unknown command 'bah', with args beginning with:
Seems like we should cover them all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, I have thought of this too, and think this check can be put in advance, but it makes sense, I will cover them together.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the other hand, this can let people check whether the server supports xxx command
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe AUTH
is primarily intended to protect user data. I understand the consistency concern regarding returning the same error message when AUTH is validated, but I don’t see a security issue with revealing a command's presence, arity, or protected status?
BTW, this is a behavior change, though perhaps not a breaking one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe AUTH is primarily intended to protect user data
i think it should protect everything according to the existing code.
I understand the consistency concern regarding returning the same error message when AUTH is validated, but I don’t see a security issue with revealing a command's presence, arity, or protected status?
yes, it is not a security issue, i just think it's better this way
BTW, this is a behavior change, though perhaps not a breaking one.
yes, it is a behavior change but i guess it is safe.
Signed-off-by: Binbin <[email protected]>
Signed-off-by: Binbin <[email protected]>
Signed-off-by: Binbin <[email protected]>
I don't think it's a breaking change since it is moving from error -> error case. I would just list it as a release. I'm also OK with the change atm, but it looks like there are still some tests that need to get fixed. |
Signed-off-by: Binbin <[email protected]>
Maybe we should leave this until 9.0 though, just so that we have the safer boundary of the major version to claim we are making a behavior change. I agree that it makes sense to raise the security bar, but I don't think it's all that important if it's in 8.1 or 9.0. |
When requirepass is enabled, we want command calls to return NOAUTH
instead of ERR with the error message.
Previously, these checks were all before the auth check:
This may expose information such as whether the server supports the
command, whether the configuration item is enabled, etc. This is more
of a consistency issue as the same error message is returned when
requirepass is enabled, not a security issue.
This is a behavior change, though perhaps not a breaking one.