Skip to content

Fix cluster AUX-field control-character and delimiter injection#3848

Merged
ranshid merged 8 commits into
valkey-io:unstablefrom
eifrah-aws:security-fix-cluster-aux-injection
Jun 3, 2026
Merged

Fix cluster AUX-field control-character and delimiter injection#3848
ranshid merged 8 commits into
valkey-io:unstablefrom
eifrah-aws:security-fix-cluster-aux-injection

Conversation

@eifrah-aws

Copy link
Copy Markdown
Contributor

Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt nodes.conf parsing or enable injection of crafted node entries on restart.

Additionally, add a validator for cluster-announce-ip which previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file.

Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F)
and format-significant delimiters (comma, equals, quotes, backslash,
space) that could corrupt nodes.conf parsing or enable injection of
crafted node entries on restart.

Additionally, add a validator for cluster-announce-ip which previously
had no input validation, allowing arbitrary bytes to be persisted into
the cluster config file.

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
@coderabbitai

coderabbitai Bot commented May 27, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Harden AUX-field validation: tighten per-character checks in cluster code, add a validator for cluster-announce-ip enforcing length and character rules, and add unit tests validating rejection of control/delimiter characters and acceptance of valid IPv4/IPv6 values.

Changes

Cluster AUX Field Validation Hardening

Layer / File(s) Summary
Core validation function strengthening
src/cluster.c
isValidAuxChar() now takes unsigned char, explicitly rejects ASCII control characters (0x00–0x1F) and DEL (0x7F), and validates against an expanded invalid-character set that includes space and additional delimiters/special characters.
Config validator wiring
src/config.c
Adds isValidAnnouncedIp() which enforces NET_IP_STR_LEN and per-character validation via isValidAuxString(), and registers it as is_valid_fn for cluster-announce-ip while keeping updateClusterIp as the apply hook.
Validation test coverage
tests/unit/cluster/cluster-aux-field-validation.tcl
New unit tests assert CONFIG SET rejects control characters (newline, CR, NUL, tab) and disallowed delimiters (space, comma, equals) for cluster-announce-ip, verify acceptance of valid IPv4/IPv6 and stored values, add length-limit rejection and allowed-character/UTF‑8 acceptance tests, and add negative tests for cluster-announce-human-nodename.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main security-focused changes: hardening AUX-field validation to prevent control-character and delimiter injection attacks.
Description check ✅ Passed The description is directly related to the changeset, detailing both the hardening of isValidAuxChar() to reject control characters and delimiters, and the addition of cluster-announce-ip validation.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown

❌ Provenance Check Alert

Potential code similarities detected with upstream repository.

  • 2026-05-27 13:55:32 [INFO] - matches redis/redis PR #15173 (similarity: 0.865, method: file_simhash+deep); file pairs: src/config.c <- src/config.c
  • 2026-05-27 13:55:32 [INFO] - matches redis/redis PR #15172 (similarity: 0.865, method: file_simhash+deep); file pairs: src/config.c <- src/config.c
  • 2026-05-27 13:55:32 [INFO] - matches redis/redis PR #15170 (similarity: 0.865, method: file_simhash+deep); file pairs: src/config.c <- src/config.c
  • 2026-05-27 13:55:32 [INFO] - matches redis/redis PR #15169 (similarity: 0.865, method: file_simhash+deep); file pairs: src/config.c <- src/config.c
  • 2026-05-27 13:55:32 [INFO] - matches redis/redis PR #15168 (similarity: 0.865, method: file_simhash+deep); file pairs: src/config.c <- src/config.c

This check was performed automatically by the Provenance Guard Action.

@eifrah-aws eifrah-aws mentioned this pull request May 27, 2026
@eifrah-aws

Copy link
Copy Markdown
Contributor Author

❌ Provenance Check Alert

This code exists in Redis 7.2.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
tests/unit/cluster/cluster-aux-field-validation.tcl (1)

36-52: ⚡ Quick win

Add assertions for = and single-quote rejection.

Line 36 onward covers several newly blocked delimiters, but not = or ', which are also now rejected by isValidAuxChar. Add explicit CONFIG SET rejection tests for those characters to fully lock in the hardening behavior.

Proposed test additions
+    test "cluster-announce-ip rejects equals sign" {
+        assert_error "ERR CONFIG SET failed*cluster-announce-ip*invalid character*" {
+            R 0 CONFIG SET cluster-announce-ip "10.0.0.1=evil"
+        }
+    }
+
+    test "cluster-announce-ip rejects single quote" {
+        assert_error "ERR CONFIG SET failed*cluster-announce-ip*invalid character*" {
+            R 0 CONFIG SET cluster-announce-ip "10.0.0.1'evil"
+        }
+    }
As per coding guidelines `tests/**/*: Write integration tests for commands in tests/ directory`.

Also applies to: 64-74

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/unit/cluster/cluster-aux-field-validation.tcl` around lines 36 - 52,
Add two new test cases in the same style as the existing tests
("cluster-announce-ip rejects comma", "cluster-announce-ip rejects backslash",
"cluster-announce-ip rejects double quote") to assert that CONFIG SET rejects
'=' and single-quote characters; use the same assert_error pattern and message
glob "ERR CONFIG SET failed*cluster-announce-ip*invalid character*" and the same
R 0 CONFIG SET invocation but with values "10.0.0.1=evil" and "10.0.0.1'evil"
(mirror the existing tests' structure so they appear adjacent to the current
tests for cluster-announce-ip).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tests/unit/cluster/cluster-aux-field-validation.tcl`:
- Around line 36-52: Add two new test cases in the same style as the existing
tests ("cluster-announce-ip rejects comma", "cluster-announce-ip rejects
backslash", "cluster-announce-ip rejects double quote") to assert that CONFIG
SET rejects '=' and single-quote characters; use the same assert_error pattern
and message glob "ERR CONFIG SET failed*cluster-announce-ip*invalid character*"
and the same R 0 CONFIG SET invocation but with values "10.0.0.1=evil" and
"10.0.0.1'evil" (mirror the existing tests' structure so they appear adjacent to
the current tests for cluster-announce-ip).

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 5cc2bd27-98f2-4b28-ba6e-9ee65a8d7a6c

📥 Commits

Reviewing files that changed from the base of the PR and between 8ee3fd7 and 0a57d0d.

📒 Files selected for processing (3)
  • src/cluster.c
  • src/config.c
  • tests/unit/cluster/cluster-aux-field-validation.tcl

@codecov

codecov Bot commented May 27, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.72%. Comparing base (7abe49a) to head (3453e6d).
⚠️ Report is 4 commits behind head on unstable.

Additional details and impacted files
@@             Coverage Diff              @@
##           unstable    #3848      +/-   ##
============================================
+ Coverage     76.65%   76.72%   +0.07%     
============================================
  Files           162      162              
  Lines         80694    80735      +41     
============================================
+ Hits          61857    61945      +88     
+ Misses        18837    18790      -47     
Files with missing lines Coverage Δ
src/cluster.c 92.42% <100.00%> (ø)
src/config.c 78.93% <100.00%> (+0.46%) ⬆️

... and 23 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sarthakaggarwal97 sarthakaggarwal97 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly looks good to me. Minor comment.

Comment thread src/config.c

@ranshid ranshid left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this will be a breaking change. cluster-announce-human-nodename already used isValidAuxString (via isValidAnnouncedNodename). With this PR, several characters that were previously accepted in human nodenames are now rejected: ,, =, ", ', , space, and all control bytes

@zuiderkwast

Copy link
Copy Markdown
Contributor

I think this will be a breaking change. cluster-announce-human-nodename already used isValidAuxString (via isValidAnnouncedNodename). With this PR, several characters that were previously accepted in human nodenames are now rejected: ,, =, ", ', , space, and all control bytes

@ranshid As mentioned above, some of these characters corrupt nodes.conf, for example a space, because the columns in nodes.conf are space-separated, so it's already broken - nodes.conf can't be read after restart if e.g. numan-nodename contains a space.

Comment thread src/cluster.c Outdated
Comment thread src/cluster.c Outdated
- Make isValidAuxChar static with unsigned char parameter
- Add NET_IP_STR_LEN length check to isValidAnnouncedIp
- Reduce invalid_charset to only nodes.conf-breaking characters
- Add equals-sign rejection test, remove quote/backslash tests

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
@eifrah-aws eifrah-aws requested review from ranshid and zuiderkwast May 31, 2026 16:08

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
tests/unit/cluster/cluster-aux-field-validation.tcl (1)

48-56: ⚡ Quick win

Consider adding test coverage for the length limit.

The validator isValidAnnouncedIp (snippet 2) includes a separate check for length (>= NET_IP_STR_LEN) that produces a distinct error message. Adding a test case for an overly long IP string would exercise that validation path.

📝 Example test case
test "cluster-announce-ip rejects too-long value" {
    assert_error "ERR CONFIG SET failed*cluster-announce-ip*too long*" {
        R 0 CONFIG SET cluster-announce-ip [string repeat "a" 100]
    }
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/unit/cluster/cluster-aux-field-validation.tcl` around lines 48 - 56,
Add a unit test that asserts setting cluster-announce-ip with a string longer
than NET_IP_STR_LEN triggers the specific "too long" validation error; update
tests/unit/cluster/cluster-aux-field-validation.tcl by adding a test (similar to
the provided example) that calls R 0 CONFIG SET cluster-announce-ip with a
repeated long string and uses assert_error to match the "ERR CONFIG SET
failed*cluster-announce-ip*too long*" message so the isValidAnnouncedIp
length-check path is exercised.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tests/unit/cluster/cluster-aux-field-validation.tcl`:
- Around line 48-56: Add a unit test that asserts setting cluster-announce-ip
with a string longer than NET_IP_STR_LEN triggers the specific "too long"
validation error; update tests/unit/cluster/cluster-aux-field-validation.tcl by
adding a test (similar to the provided example) that calls R 0 CONFIG SET
cluster-announce-ip with a repeated long string and uses assert_error to match
the "ERR CONFIG SET failed*cluster-announce-ip*too long*" message so the
isValidAnnouncedIp length-check path is exercised.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 92151e09-4ba8-482e-9f1c-c2a23c68616c

📥 Commits

Reviewing files that changed from the base of the PR and between 0a57d0d and 13d4e7f.

📒 Files selected for processing (3)
  • src/cluster.c
  • src/config.c
  • tests/unit/cluster/cluster-aux-field-validation.tcl
🚧 Files skipped from review as they are similar to previous changes (2)
  • src/cluster.c
  • src/config.c

@ranshid ranshid left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two follow-ups on the latest revision — a stale comment in src/cluster.c and a few test additions to lock in the deliberately-narrow charset and exercise the new length check.

Comment thread src/cluster.c Outdated
Comment thread tests/unit/cluster/cluster-aux-field-validation.tcl
- cluster-announce-human-nodename rejects comma and equals (symmetry
  with the cluster-announce-ip cases, locks in breaking-change behavior)
- cluster-announce-ip length-limit test (exercises NET_IP_STR_LEN branch)
- Positive lock-in tests for deliberately-allowed chars (hyphen, dot,
  colon, slash, underscore) and high-byte UTF-8

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
@eifrah-aws eifrah-aws requested a review from ranshid June 1, 2026 07:55

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/unit/cluster/cluster-aux-field-validation.tcl`:
- Around line 64-67: The test currently checks cluster-announce-ip with hyphen,
dot, colon, slash, and underscore but omits backslash, double-quote, and
single-quote; update the test case in cluster-announce-ip accepts hyphen, dot,
colon, slash, underscore to also assert that values containing backslash (\),
double-quote ("), and single-quote (') are accepted by CONFIG SET/GET (e.g., add
R 0 CONFIG SET cluster-announce-ip "host\\name", "host\"name", and "host'name"
style assertions) so the behavior of isValidAuxChar is fully covered.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 876af3e8-a142-4ddd-aff9-e79dbf03dfe8

📥 Commits

Reviewing files that changed from the base of the PR and between 88ec9b5 and 072602d.

📒 Files selected for processing (1)
  • tests/unit/cluster/cluster-aux-field-validation.tcl

Comment thread tests/unit/cluster/cluster-aux-field-validation.tcl
Signed-off-by: Eran Ifrah <eifrah@amazon.com>

@ranshid ranshid left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approach is sound — centralizing on isValidAuxString covers cluster-announce-human-nodename and the AZ aux field through one chokepoint, and adding a validator to cluster-announce-ip closes a real gap (it had a NULL validator).

Comment thread src/cluster.c Outdated
Comment thread src/cluster.c
Comment thread tests/unit/cluster/cluster-aux-field-validation.tcl
@ranshid ranshid moved this to To be backported in Valkey 7.2 Jun 1, 2026
@ranshid

ranshid commented Jun 3, 2026

Copy link
Copy Markdown
Member

@zuiderkwast I approved the last revision. ping you if you want to take a final look (otherwise will merge it later today)

@eifrah-aws

Copy link
Copy Markdown
Contributor Author

Looks like I merged from the wrong branch... I need to fix the commit list before we can merge this.

Add double-quote, single-quote, and backslash to invalid_charset in
isValidAuxChar to forestall ambiguity with potential future
quote/escape-aware nodes.conf formats. Add matching test coverage for
cluster-announce-ip and cluster-announce-human-nodename.

This is a breaking change for any existing values containing these
characters; agreed with Valkey maintainers.

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
@eifrah-aws eifrah-aws force-pushed the security-fix-cluster-aux-injection branch from 55d884c to 3453e6d Compare June 3, 2026 09:21

@zuiderkwast zuiderkwast left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment thread src/cluster.c Outdated
Extend the range check from 0x1F to ',' (0x2C) to cover all characters
that were previously listed explicitly in invalid_charset. Remove the
now-redundant entries from the charset and update both comments to
accurately describe what each check rejects.

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
@ranshid ranshid merged commit d7384b9 into valkey-io:unstable Jun 3, 2026
60 of 61 checks passed
@github-project-automation github-project-automation Bot moved this from In Progress / Needs Review to To be backported in Valkey 8.1 Jun 3, 2026
@eifrah-aws eifrah-aws deleted the security-fix-cluster-aux-injection branch June 4, 2026 06:44
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 5, 2026
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F)
and format-significant delimiters (comma, equals, quotes, backslash,
space) that could corrupt `nodes.conf` parsing or enable injection of
crafted node entries on restart.

Additionally, add a validator for `cluster-announce-ip` which previously
had no input validation, allowing arbitrary bytes to be persisted into
the cluster config file.

---------

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 5, 2026
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F)
and format-significant delimiters (comma, equals, quotes, backslash,
space) that could corrupt `nodes.conf` parsing or enable injection of
crafted node entries on restart.

Additionally, add a validator for `cluster-announce-ip` which previously
had no input validation, allowing arbitrary bytes to be persisted into
the cluster config file.

---------

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 5, 2026
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F)
and format-significant delimiters (comma, equals, quotes, backslash,
space) that could corrupt `nodes.conf` parsing or enable injection of
crafted node entries on restart.

Additionally, add a validator for `cluster-announce-ip` which previously
had no input validation, allowing arbitrary bytes to be persisted into
the cluster config file.

---------

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
hpatro pushed a commit to hpatro/valkey that referenced this pull request Jun 5, 2026
…ey-io#3848)

Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F)
and format-significant delimiters (comma, equals, quotes, backslash,
space) that could corrupt `nodes.conf` parsing or enable injection of
crafted node entries on restart.

Additionally, add a validator for `cluster-announce-ip` which previously
had no input validation, allowing arbitrary bytes to be persisted into
the cluster config file.

---------

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
Signed-off-by: Harkrishn Patro <h_patro@apple.com>
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 6, 2026
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F)
and format-significant delimiters (comma, equals, quotes, backslash,
space) that could corrupt `nodes.conf` parsing or enable injection of
crafted node entries on restart.

Additionally, add a validator for `cluster-announce-ip` which previously
had no input validation, allowing arbitrary bytes to be persisted into
the cluster config file.

---------

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 10, 2026
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F)
and format-significant delimiters (comma, equals, quotes, backslash,
space) that could corrupt `nodes.conf` parsing or enable injection of
crafted node entries on restart.

Additionally, add a validator for `cluster-announce-ip` which previously
had no input validation, allowing arbitrary bytes to be persisted into
the cluster config file.

---------

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
ranshid added a commit that referenced this pull request Jun 11, 2026
# Backport sweep for 9.1

Automated cherry-picks from PRs marked "To be backported".

## Applied

| Source PR | Title | Detail |
|---|---|---|
| #3743 | Fix buffered_reply assert in HFE commands with module keyspace
notifications | cherry-picked in a prior sweep |
| #3766 | Fix flaky block_keyspace_notification test for HGETDEL notify
race | cherry-picked in a prior sweep |
| #3800 | Fix heap-use-after-free in ACL LOAD when client free is
deferred | cherry-picked in a prior sweep |
| #3723 | Fix double-finish and RESP reply violation in cluster slot
migration | cherry-picked in a prior sweep |
| #3872 | Redacting customer information when hide_user_data_from_log is
true in rdb.c, networking.c, debug.c and t_hash | cherry-picked in a
prior sweep |
| #3846 | Fix use-after-free in VM_RegisterClusterMessageReceiver |
cherry-picked in a prior sweep |
| #3806 | Add ALL_DBS flag to CLUSTER FLUSHSLOT for database-level ACL |
cherry-picked in a prior sweep |
| #3847 | Harden SENTINEL commands and config rewrite against
control-character injection | |
| #3801 | Validate every DB clause in COPY against ACL db= permissions |
|
| #3851 | Replace AUTOMATION_PAT with Valkeyrie Bot GitHub App token | |
| #3848 | Fix cluster AUX-field control-character and delimiter
injection | |
| #3544 | Revert "IO-Threads redesign cleanup work (#3544)" |
cherry-picked in a prior sweep |
| #3888 | Report exact dbid for COPY in ACL LOG when db= access is
denied | conflicts resolved by Claude Code |
| #3942 | Fix shard_id format specifier in UPDATE message log |  |
| #3941 | Avoid random() % 0 undefined behaviour when
cluster-node-timeout < 30 | |

---
*Generated by valkey-ci-agent using Claude Code.*

---------

Signed-off-by: Binbin <binloveplay1314@qq.com>
Signed-off-by: Ran Shidlansik <ranshid@amazon.com>
Signed-off-by: chx9 <lovelypiska@outlook.com>
Signed-off-by: zackcam <zackcam@amazon.com>
Signed-off-by: Eran Ifrah <eifrah@amazon.com>
Signed-off-by: Jules Lasarte <lasartej@amazon.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Signed-off-by: akash kumar <akumdev@amazon.com>
Co-authored-by: Binbin <binloveplay1314@qq.com>
Co-authored-by: Ran Shidlansik <ranshid@amazon.com>
Co-authored-by: lovelypiska <lovelypiska@outlook.com>
Co-authored-by: zackcam <zackcam@amazon.com>
Co-authored-by: eifrah-aws <eifrah@amazon.com>
Co-authored-by: jjuleslasarte <jules.lasarte@gmail.com>
Co-authored-by: Jules Lasarte <lasartej@amazon.com>
Co-authored-by: Akash Kumar <45854686+akashkgit@users.noreply.github.com>
@sarthakaggarwal97 sarthakaggarwal97 moved this from To be backported to Done in Valkey 9.1 Jun 15, 2026
sarthakaggarwal97 pushed a commit that referenced this pull request Jun 17, 2026
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F)
and format-significant delimiters (comma, equals, quotes, backslash,
space) that could corrupt `nodes.conf` parsing or enable injection of
crafted node entries on restart.

Additionally, add a validator for `cluster-announce-ip` which previously
had no input validation, allowing arbitrary bytes to be persisted into
the cluster config file.

---------

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
@valkeyrie-ops valkeyrie-ops Bot moved this from To be backported to Done in Valkey 7.2 Jun 17, 2026
sarthakaggarwal97 pushed a commit that referenced this pull request Jun 18, 2026
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F)
and format-significant delimiters (comma, equals, quotes, backslash,
space) that could corrupt `nodes.conf` parsing or enable injection of
crafted node entries on restart.

Additionally, add a validator for `cluster-announce-ip` which previously
had no input validation, allowing arbitrary bytes to be persisted into
the cluster config file.

---------

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
@valkeyrie-ops valkeyrie-ops Bot moved this from To be backported to Done in Valkey 8.0 Jun 18, 2026
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 21, 2026
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F)
and format-significant delimiters (comma, equals, quotes, backslash,
space) that could corrupt `nodes.conf` parsing or enable injection of
crafted node entries on restart.

Additionally, add a validator for `cluster-announce-ip` which previously
had no input validation, allowing arbitrary bytes to be persisted into
the cluster config file.

---------

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
sarthakaggarwal97 added a commit to sarthakaggarwal97/valkey that referenced this pull request Jun 24, 2026
…ey-io#3848) (#348)

Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F)
and format-significant delimiters (comma, equals, quotes, backslash,
space) that could corrupt `nodes.conf` parsing or enable injection of
crafted node entries on restart.

Additionally, add a validator for `cluster-announce-ip` which previously
had no input validation, allowing arbitrary bytes to be persisted into
the cluster config file.

---------

Signed-off-by: Eran Ifrah <eifrah@amazon.com>
Co-authored-by: eifrah-aws <eifrah@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done
Status: Done
Status: To be backported
Status: To be backported
Status: Done

Development

Successfully merging this pull request may close these issues.

5 participants