Fix cluster AUX-field control-character and delimiter injection#3848
Conversation
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt nodes.conf parsing or enable injection of crafted node entries on restart. Additionally, add a validator for cluster-announce-ip which previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file. Signed-off-by: Eran Ifrah <eifrah@amazon.com>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughHarden AUX-field validation: tighten per-character checks in cluster code, add a validator for ChangesCluster AUX Field Validation Hardening
🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
❌ Provenance Check AlertPotential code similarities detected with upstream repository.
This check was performed automatically by the Provenance Guard Action. |
This code exists in Redis 7.2. |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
tests/unit/cluster/cluster-aux-field-validation.tcl (1)
36-52: ⚡ Quick winAdd assertions for
=and single-quote rejection.Line 36 onward covers several newly blocked delimiters, but not
=or', which are also now rejected byisValidAuxChar. Add explicitCONFIG SETrejection tests for those characters to fully lock in the hardening behavior.As per coding guidelines `tests/**/*: Write integration tests for commands in tests/ directory`.Proposed test additions
+ test "cluster-announce-ip rejects equals sign" { + assert_error "ERR CONFIG SET failed*cluster-announce-ip*invalid character*" { + R 0 CONFIG SET cluster-announce-ip "10.0.0.1=evil" + } + } + + test "cluster-announce-ip rejects single quote" { + assert_error "ERR CONFIG SET failed*cluster-announce-ip*invalid character*" { + R 0 CONFIG SET cluster-announce-ip "10.0.0.1'evil" + } + }Also applies to: 64-74
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@tests/unit/cluster/cluster-aux-field-validation.tcl` around lines 36 - 52, Add two new test cases in the same style as the existing tests ("cluster-announce-ip rejects comma", "cluster-announce-ip rejects backslash", "cluster-announce-ip rejects double quote") to assert that CONFIG SET rejects '=' and single-quote characters; use the same assert_error pattern and message glob "ERR CONFIG SET failed*cluster-announce-ip*invalid character*" and the same R 0 CONFIG SET invocation but with values "10.0.0.1=evil" and "10.0.0.1'evil" (mirror the existing tests' structure so they appear adjacent to the current tests for cluster-announce-ip).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@tests/unit/cluster/cluster-aux-field-validation.tcl`:
- Around line 36-52: Add two new test cases in the same style as the existing
tests ("cluster-announce-ip rejects comma", "cluster-announce-ip rejects
backslash", "cluster-announce-ip rejects double quote") to assert that CONFIG
SET rejects '=' and single-quote characters; use the same assert_error pattern
and message glob "ERR CONFIG SET failed*cluster-announce-ip*invalid character*"
and the same R 0 CONFIG SET invocation but with values "10.0.0.1=evil" and
"10.0.0.1'evil" (mirror the existing tests' structure so they appear adjacent to
the current tests for cluster-announce-ip).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 5cc2bd27-98f2-4b28-ba6e-9ee65a8d7a6c
📒 Files selected for processing (3)
src/cluster.csrc/config.ctests/unit/cluster/cluster-aux-field-validation.tcl
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## unstable #3848 +/- ##
============================================
+ Coverage 76.65% 76.72% +0.07%
============================================
Files 162 162
Lines 80694 80735 +41
============================================
+ Hits 61857 61945 +88
+ Misses 18837 18790 -47
🚀 New features to boost your workflow:
|
sarthakaggarwal97
left a comment
There was a problem hiding this comment.
Mostly looks good to me. Minor comment.
ranshid
left a comment
There was a problem hiding this comment.
I think this will be a breaking change. cluster-announce-human-nodename already used isValidAuxString (via isValidAnnouncedNodename). With this PR, several characters that were previously accepted in human nodenames are now rejected: ,, =, ", ', , space, and all control bytes
@ranshid As mentioned above, some of these characters corrupt nodes.conf, for example a space, because the columns in nodes.conf are space-separated, so it's already broken - nodes.conf can't be read after restart if e.g. numan-nodename contains a space. |
- Make isValidAuxChar static with unsigned char parameter - Add NET_IP_STR_LEN length check to isValidAnnouncedIp - Reduce invalid_charset to only nodes.conf-breaking characters - Add equals-sign rejection test, remove quote/backslash tests Signed-off-by: Eran Ifrah <eifrah@amazon.com>
There was a problem hiding this comment.
🧹 Nitpick comments (1)
tests/unit/cluster/cluster-aux-field-validation.tcl (1)
48-56: ⚡ Quick winConsider adding test coverage for the length limit.
The validator
isValidAnnouncedIp(snippet 2) includes a separate check for length (>= NET_IP_STR_LEN) that produces a distinct error message. Adding a test case for an overly long IP string would exercise that validation path.📝 Example test case
test "cluster-announce-ip rejects too-long value" { assert_error "ERR CONFIG SET failed*cluster-announce-ip*too long*" { R 0 CONFIG SET cluster-announce-ip [string repeat "a" 100] } }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@tests/unit/cluster/cluster-aux-field-validation.tcl` around lines 48 - 56, Add a unit test that asserts setting cluster-announce-ip with a string longer than NET_IP_STR_LEN triggers the specific "too long" validation error; update tests/unit/cluster/cluster-aux-field-validation.tcl by adding a test (similar to the provided example) that calls R 0 CONFIG SET cluster-announce-ip with a repeated long string and uses assert_error to match the "ERR CONFIG SET failed*cluster-announce-ip*too long*" message so the isValidAnnouncedIp length-check path is exercised.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@tests/unit/cluster/cluster-aux-field-validation.tcl`:
- Around line 48-56: Add a unit test that asserts setting cluster-announce-ip
with a string longer than NET_IP_STR_LEN triggers the specific "too long"
validation error; update tests/unit/cluster/cluster-aux-field-validation.tcl by
adding a test (similar to the provided example) that calls R 0 CONFIG SET
cluster-announce-ip with a repeated long string and uses assert_error to match
the "ERR CONFIG SET failed*cluster-announce-ip*too long*" message so the
isValidAnnouncedIp length-check path is exercised.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 92151e09-4ba8-482e-9f1c-c2a23c68616c
📒 Files selected for processing (3)
src/cluster.csrc/config.ctests/unit/cluster/cluster-aux-field-validation.tcl
🚧 Files skipped from review as they are similar to previous changes (2)
- src/cluster.c
- src/config.c
ranshid
left a comment
There was a problem hiding this comment.
Two follow-ups on the latest revision — a stale comment in src/cluster.c and a few test additions to lock in the deliberately-narrow charset and exercise the new length check.
- cluster-announce-human-nodename rejects comma and equals (symmetry with the cluster-announce-ip cases, locks in breaking-change behavior) - cluster-announce-ip length-limit test (exercises NET_IP_STR_LEN branch) - Positive lock-in tests for deliberately-allowed chars (hyphen, dot, colon, slash, underscore) and high-byte UTF-8 Signed-off-by: Eran Ifrah <eifrah@amazon.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@tests/unit/cluster/cluster-aux-field-validation.tcl`:
- Around line 64-67: The test currently checks cluster-announce-ip with hyphen,
dot, colon, slash, and underscore but omits backslash, double-quote, and
single-quote; update the test case in cluster-announce-ip accepts hyphen, dot,
colon, slash, underscore to also assert that values containing backslash (\),
double-quote ("), and single-quote (') are accepted by CONFIG SET/GET (e.g., add
R 0 CONFIG SET cluster-announce-ip "host\\name", "host\"name", and "host'name"
style assertions) so the behavior of isValidAuxChar is fully covered.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 876af3e8-a142-4ddd-aff9-e79dbf03dfe8
📒 Files selected for processing (1)
tests/unit/cluster/cluster-aux-field-validation.tcl
Signed-off-by: Eran Ifrah <eifrah@amazon.com>
|
@zuiderkwast I approved the last revision. ping you if you want to take a final look (otherwise will merge it later today) |
|
Looks like I merged from the wrong branch... I need to fix the commit list before we can merge this. |
Add double-quote, single-quote, and backslash to invalid_charset in isValidAuxChar to forestall ambiguity with potential future quote/escape-aware nodes.conf formats. Add matching test coverage for cluster-announce-ip and cluster-announce-human-nodename. This is a breaking change for any existing values containing these characters; agreed with Valkey maintainers. Signed-off-by: Eran Ifrah <eifrah@amazon.com>
55d884c to
3453e6d
Compare
Extend the range check from 0x1F to ',' (0x2C) to cover all characters that were previously listed explicitly in invalid_charset. Remove the now-redundant entries from the charset and update both comments to accurately describe what each check rejects. Signed-off-by: Eran Ifrah <eifrah@amazon.com>
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt `nodes.conf` parsing or enable injection of crafted node entries on restart. Additionally, add a validator for `cluster-announce-ip` which previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt `nodes.conf` parsing or enable injection of crafted node entries on restart. Additionally, add a validator for `cluster-announce-ip` which previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt `nodes.conf` parsing or enable injection of crafted node entries on restart. Additionally, add a validator for `cluster-announce-ip` which previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
…ey-io#3848) Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt `nodes.conf` parsing or enable injection of crafted node entries on restart. Additionally, add a validator for `cluster-announce-ip` which previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com> Signed-off-by: Harkrishn Patro <h_patro@apple.com>
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt `nodes.conf` parsing or enable injection of crafted node entries on restart. Additionally, add a validator for `cluster-announce-ip` which previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt `nodes.conf` parsing or enable injection of crafted node entries on restart. Additionally, add a validator for `cluster-announce-ip` which previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
# Backport sweep for 9.1 Automated cherry-picks from PRs marked "To be backported". ## Applied | Source PR | Title | Detail | |---|---|---| | #3743 | Fix buffered_reply assert in HFE commands with module keyspace notifications | cherry-picked in a prior sweep | | #3766 | Fix flaky block_keyspace_notification test for HGETDEL notify race | cherry-picked in a prior sweep | | #3800 | Fix heap-use-after-free in ACL LOAD when client free is deferred | cherry-picked in a prior sweep | | #3723 | Fix double-finish and RESP reply violation in cluster slot migration | cherry-picked in a prior sweep | | #3872 | Redacting customer information when hide_user_data_from_log is true in rdb.c, networking.c, debug.c and t_hash | cherry-picked in a prior sweep | | #3846 | Fix use-after-free in VM_RegisterClusterMessageReceiver | cherry-picked in a prior sweep | | #3806 | Add ALL_DBS flag to CLUSTER FLUSHSLOT for database-level ACL | cherry-picked in a prior sweep | | #3847 | Harden SENTINEL commands and config rewrite against control-character injection | | | #3801 | Validate every DB clause in COPY against ACL db= permissions | | | #3851 | Replace AUTOMATION_PAT with Valkeyrie Bot GitHub App token | | | #3848 | Fix cluster AUX-field control-character and delimiter injection | | | #3544 | Revert "IO-Threads redesign cleanup work (#3544)" | cherry-picked in a prior sweep | | #3888 | Report exact dbid for COPY in ACL LOG when db= access is denied | conflicts resolved by Claude Code | | #3942 | Fix shard_id format specifier in UPDATE message log | | | #3941 | Avoid random() % 0 undefined behaviour when cluster-node-timeout < 30 | | --- *Generated by valkey-ci-agent using Claude Code.* --------- Signed-off-by: Binbin <binloveplay1314@qq.com> Signed-off-by: Ran Shidlansik <ranshid@amazon.com> Signed-off-by: chx9 <lovelypiska@outlook.com> Signed-off-by: zackcam <zackcam@amazon.com> Signed-off-by: Eran Ifrah <eifrah@amazon.com> Signed-off-by: Jules Lasarte <lasartej@amazon.com> Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com> Signed-off-by: akash kumar <akumdev@amazon.com> Co-authored-by: Binbin <binloveplay1314@qq.com> Co-authored-by: Ran Shidlansik <ranshid@amazon.com> Co-authored-by: lovelypiska <lovelypiska@outlook.com> Co-authored-by: zackcam <zackcam@amazon.com> Co-authored-by: eifrah-aws <eifrah@amazon.com> Co-authored-by: jjuleslasarte <jules.lasarte@gmail.com> Co-authored-by: Jules Lasarte <lasartej@amazon.com> Co-authored-by: Akash Kumar <45854686+akashkgit@users.noreply.github.com>
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt `nodes.conf` parsing or enable injection of crafted node entries on restart. Additionally, add a validator for `cluster-announce-ip` which previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt `nodes.conf` parsing or enable injection of crafted node entries on restart. Additionally, add a validator for `cluster-announce-ip` which previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt `nodes.conf` parsing or enable injection of crafted node entries on restart. Additionally, add a validator for `cluster-announce-ip` which previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com>
…ey-io#3848) (#348) Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt `nodes.conf` parsing or enable injection of crafted node entries on restart. Additionally, add a validator for `cluster-announce-ip` which previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file. --------- Signed-off-by: Eran Ifrah <eifrah@amazon.com> Co-authored-by: eifrah-aws <eifrah@amazon.com>
Harden isValidAuxChar() to reject control characters (0x00-0x1F, 0x7F) and format-significant delimiters (comma, equals, quotes, backslash, space) that could corrupt
nodes.confparsing or enable injection of crafted node entries on restart.Additionally, add a validator for
cluster-announce-ipwhich previously had no input validation, allowing arbitrary bytes to be persisted into the cluster config file.