mirrors
/
redis
mirror of https://mirror.osredm.com/root/redis.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Redact ACL SETUSER arguments if the user has spaces (#9935)

This commit is contained in:
Madelyn Olson 2021-12-13 08:39:04 -08:00 committed by GitHub
parent b93ccee451
commit c40d23b89f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/acl.c
View File

@ -1966,6 +1966,12 @@ void addACLLogEntry(client *c, int reason, int context, int argpos, sds username
void aclCommand(client *c) { void aclCommand(client *c) {
char *sub = c->argv[1]->ptr; char *sub = c->argv[1]->ptr;
if (!strcasecmp(sub,"setuser") && c->argc >= 3) { if (!strcasecmp(sub,"setuser") && c->argc >= 3) {
/* Initially redact all of the arguments to not leak any information
* about the user. */
for (int j = 2; j < c->argc; j++) {
redactClientCommandArgument(c, j);
}
sds username = c->argv[2]->ptr; sds username = c->argv[2]->ptr;
/* Check username validity. */ /* Check username validity. */
if (ACLStringHasSpaces(username,sdslen(username))) { if (ACLStringHasSpaces(username,sdslen(username))) {
@ -1982,12 +1988,6 @@ void aclCommand(client *c) {
user *u = ACLGetUserByName(username,sdslen(username)); user *u = ACLGetUserByName(username,sdslen(username));
if (u) ACLCopyUser(tempu, u); if (u) ACLCopyUser(tempu, u);
/* Initially redact all of the arguments to not leak any information
* about the user. */
for (int j = 2; j < c->argc; j++) {
redactClientCommandArgument(c, j);
}
for (int j = 3; j < c->argc; j++) { for (int j = 3; j < c->argc; j++) {
if (ACLSetUser(tempu,c->argv[j]->ptr,sdslen(c->argv[j]->ptr)) != C_OK) { if (ACLSetUser(tempu,c->argv[j]->ptr,sdslen(c->argv[j]->ptr)) != C_OK) {
const char *errmsg = ACLSetUserStringError(); const char *errmsg = ACLSetUserStringError();

6
tests/unit/slowlog.tcl
View File

@ -49,6 +49,7 @@ start_server {tags {"slowlog"} overrides {slowlog-log-slower-than 1000000}} {
test {SLOWLOG - Certain commands are omitted that contain sensitive information} { test {SLOWLOG - Certain commands are omitted that contain sensitive information} {
r config set slowlog-log-slower-than 0 r config set slowlog-log-slower-than 0
r slowlog reset r slowlog reset
catch {r acl setuser "slowlog test user" +get +set} _
r config set masterauth "" r config set masterauth ""
r acl setuser slowlog-test-user +get +set r acl setuser slowlog-test-user +get +set
r config set slowlog-log-slower-than 0 r config set slowlog-log-slower-than 0
@ -57,8 +58,9 @@ start_server {tags {"slowlog"} overrides {slowlog-log-slower-than 1000000}} {
# Make sure normal configs work, but the two sensitive # Make sure normal configs work, but the two sensitive
# commands are omitted or redacted # commands are omitted or redacted
assert_equal 4 [llength $slowlog_resp] assert_equal 5 [llength $slowlog_resp]
assert_equal {slowlog reset} [lindex [lindex [r slowlog get] 3] 3] assert_equal {slowlog reset} [lindex [lindex [r slowlog get] 4] 3]
assert_equal {acl setuser (redacted) (redacted) (redacted)} [lindex [lindex [r slowlog get] 3] 3]
assert_equal {config set masterauth (redacted)} [lindex [lindex [r slowlog get] 2] 3] assert_equal {config set masterauth (redacted)} [lindex [lindex [r slowlog get] 2] 3]
assert_equal {acl setuser (redacted) (redacted) (redacted)} [lindex [lindex [r slowlog get] 1] 3] assert_equal {acl setuser (redacted) (redacted) (redacted)} [lindex [lindex [r slowlog get] 1] 3]
assert_equal {config set slowlog-log-slower-than 0} [lindex [lindex [r slowlog get] 0] 3] assert_equal {config set slowlog-log-slower-than 0} [lindex [lindex [r slowlog get] 0] 3]