You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2021/11/10 07:13:49 UTC
[GitHub] [rocketmq] Aaron-He opened a new pull request #3475: [ISSUE #3474] fix illegal message attack
Aaron-He opened a new pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475
**Make sure set the target branch to `develop`**
## What is the purpose of the change
fix illegal message attack
## Brief changelog
Check when decoding the protocol
## Verifying this change
Yes
Follow this checklist to help us incorporate your contribution quickly and easily. Notice, `it would be helpful if you could finish the following 5 checklist(the last one is not necessary)before request the community to review your PR`.
- [x] Make sure there is a [Github issue](https://github.com/apache/rocketmq/issues) filed for the change (usually before you start working on it). Trivial changes like typos do not require a Github issue. Your pull request should address just this issue, without pulling in other changes - one PR resolves one issue.
- [x] Format the pull request title like `[ISSUE #123] Fix UnknownException when host config not exist`. Each commit in the pull request should have a meaningful subject line and body.
- [x] Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
- [x] Write necessary unit-test(over 80% coverage) to verify your logic correction, more mock a little better when cross module dependency exist. If the new feature or significant change is committed, please remember to add integration-test in [test module](https://github.com/apache/rocketmq/tree/master/test).
- [x] Run `mvn -B clean apache-rat:check findbugs:findbugs checkstyle:checkstyle` to make sure basic checks pass. Run `mvn clean install -DskipITs` to make sure unit-test pass. Run `mvn clean test-compile failsafe:integration-test` to make sure integration-test pass.
- [ ] If this contribution is large, please file an [Apache Individual Contributor License Agreement](http://www.apache.org/licenses/#clas).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] dongeforever commented on pull request #3475: [Issue #3474] Fix illegal message attack
Posted by GitBox <gi...@apache.org>.
dongeforever commented on pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#issuecomment-991553024
LGTM.
All the size delimited serialization has such vulnerability
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] Aaron-He commented on a change in pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
Aaron-He commented on a change in pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#discussion_r749090134
##########
File path: remoting/src/main/java/org/apache/rocketmq/remoting/protocol/RocketMQSerializable.java
##########
@@ -149,6 +150,9 @@ public static RemotingCommand rocketMQProtocolDecode(final byte[] headerArray) {
// String remark
int remarkLength = headerBuffer.getInt();
if (remarkLength > 0) {
+ if (remarkLength > headerArray.length) {
Review comment:
> Will it cause the similar problem if you modify other values in the header?
In addition to remarkLength and extFieldsLength, modifying other values in the header will not create large objects, but will only fail to read and throw exceptions
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] duhenglucky commented on pull request #3475: [Issue #3474] Fix illegal message attack
Posted by GitBox <gi...@apache.org>.
duhenglucky commented on pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#issuecomment-991578393
> Great catch. But this PR includes too many code style modifications, do you import the rmq_codeStyle.xml to your IDE?
Merge it first for security reason, code styles will be fix in another PR :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] codecov-commenter commented on pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
codecov-commenter commented on pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#issuecomment-969784316
# [Codecov](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#3475](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (9a15c9e) into [develop](https://codecov.io/gh/apache/rocketmq/commit/c6aeb782e59587c610ff8293462f028993fb8206?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (c6aeb78) will **increase** coverage by `0.51%`.
> The diff coverage is `28.57%`.
[](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
```diff
@@ Coverage Diff @@
## develop #3475 +/- ##
=============================================
+ Coverage 48.30% 48.81% +0.51%
- Complexity 4604 4655 +51
=============================================
Files 555 555
Lines 36723 36728 +5
Branches 4839 4841 +2
=============================================
+ Hits 17738 17929 +191
+ Misses 16752 16551 -201
- Partials 2233 2248 +15
```
| [Impacted Files](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [...pache/rocketmq/remoting/common/RemotingHelper.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cmVtb3Rpbmcvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3JlbW90aW5nL2NvbW1vbi9SZW1vdGluZ0hlbHBlci5qYXZh) | `13.41% <ø> (ø)` | |
| [...he/rocketmq/remoting/protocol/RemotingCommand.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cmVtb3Rpbmcvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3JlbW90aW5nL3Byb3RvY29sL1JlbW90aW5nQ29tbWFuZC5qYXZh) | `78.22% <0.00%> (ø)` | |
| [...cketmq/remoting/protocol/RocketMQSerializable.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cmVtb3Rpbmcvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3JlbW90aW5nL3Byb3RvY29sL1JvY2tldE1RU2VyaWFsaXphYmxlLmphdmE=) | `86.45% <33.33%> (-3.76%)` | :arrow_down: |
| [.../rocketmq/broker/filter/ConsumerFilterManager.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-YnJva2VyL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9icm9rZXIvZmlsdGVyL0NvbnN1bWVyRmlsdGVyTWFuYWdlci5qYXZh) | `72.19% <0.00%> (-0.90%)` | :arrow_down: |
| [...ent/impl/consumer/DefaultLitePullConsumerImpl.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y2xpZW50L3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jbGllbnQvaW1wbC9jb25zdW1lci9EZWZhdWx0TGl0ZVB1bGxDb25zdW1lckltcGwuamF2YQ==) | `69.03% <0.00%> (-0.52%)` | :arrow_down: |
| [...mq/client/impl/producer/DefaultMQProducerImpl.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y2xpZW50L3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jbGllbnQvaW1wbC9wcm9kdWNlci9EZWZhdWx0TVFQcm9kdWNlckltcGwuamF2YQ==) | `46.31% <0.00%> (-0.25%)` | :arrow_down: |
| [...he/rocketmq/client/producer/DefaultMQProducer.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y2xpZW50L3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jbGllbnQvcHJvZHVjZXIvRGVmYXVsdE1RUHJvZHVjZXIuamF2YQ==) | `57.34% <0.00%> (-0.21%)` | :arrow_down: |
| [...ocketmq/broker/processor/SendMessageProcessor.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-YnJva2VyL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9icm9rZXIvcHJvY2Vzc29yL1NlbmRNZXNzYWdlUHJvY2Vzc29yLmphdmE=) | `39.64% <0.00%> (-0.05%)` | :arrow_down: |
| [...org/apache/rocketmq/store/DefaultMessageStore.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-c3RvcmUvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3N0b3JlL0RlZmF1bHRNZXNzYWdlU3RvcmUuamF2YQ==) | `56.23% <0.00%> (-0.05%)` | :arrow_down: |
| [...ava/org/apache/rocketmq/filter/util/BitsArray.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZmlsdGVyL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9maWx0ZXIvdXRpbC9CaXRzQXJyYXkuamF2YQ==) | `59.82% <0.00%> (ø)` | |
| ... and [9 more](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | |
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Last update [c6aeb78...9a15c9e](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] zhouxinyu commented on pull request #3475: [Issue #3474] Fix illegal message attack
Posted by GitBox <gi...@apache.org>.
zhouxinyu commented on pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#issuecomment-991576649
Great catch. But this PR includes too many code style modifications, do you import the rmq_codeStyle.xml to your IDE?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] duhenglucky merged pull request #3475: [Issue #3474] Fix illegal message attack
Posted by GitBox <gi...@apache.org>.
duhenglucky merged pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] Aaron-He commented on a change in pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
Aaron-He commented on a change in pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#discussion_r751980767
##########
File path: remoting/src/main/java/org/apache/rocketmq/remoting/protocol/RocketMQSerializable.java
##########
@@ -157,6 +162,9 @@ public static RemotingCommand rocketMQProtocolDecode(final byte[] headerArray) {
// HashMap<String, String> extFields
int extFieldsLength = headerBuffer.getInt();
if (extFieldsLength > 0) {
+ if (extFieldsLength > headerArray.length) {
Review comment:
> Would it be more appropriate to replace `headerArray.length` with `headerBuffer.capacity() - headerBuffer.position()`?
`headerBuffer.capacity() - headerBuffer.position()` is more precise than `headerArray.length`.
However, `headerBuffer.capacity() - headerBuffer.position()` has more subtraction operation than `headerArray.length`. Considering performance, `headerArray.length` may be more appropriate.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] Aaron-He commented on a change in pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
Aaron-He commented on a change in pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#discussion_r751984555
##########
File path: acl/src/test/java/org/apache/rocketmq/acl/plain/PlainAccessValidatorTest.java
##########
@@ -17,19 +17,7 @@
package org.apache.rocketmq.acl.plain;
-import java.nio.ByteBuffer;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.rocketmq.acl.common.AclClientRPCHook;
-import org.apache.rocketmq.acl.common.AclConstants;
-import org.apache.rocketmq.acl.common.AclException;
-import org.apache.rocketmq.acl.common.AclUtils;
-import org.apache.rocketmq.acl.common.SessionCredentials;
+import org.apache.rocketmq.acl.common.*;
Review comment:
Yes, I'll push it again.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] dongeforever commented on a change in pull request #3475: [Issue #3474] Fix illegal message attack
Posted by GitBox <gi...@apache.org>.
dongeforever commented on a change in pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#discussion_r767130591
##########
File path: remoting/src/main/java/org/apache/rocketmq/remoting/protocol/RemotingCommand.java
##########
@@ -136,12 +137,12 @@ public static RemotingCommand createResponseCommand(int code, String remark) {
return createResponseCommand(code, remark, null);
}
- public static RemotingCommand decode(final byte[] array) {
+ public static RemotingCommand decode(final byte[] array) throws RemotingCommandException {
ByteBuffer byteBuffer = ByteBuffer.wrap(array);
return decode(byteBuffer);
}
- public static RemotingCommand decode(final ByteBuffer byteBuffer) {
+ public static RemotingCommand decode(final ByteBuffer byteBuffer) throws RemotingCommandException {
int length = byteBuffer.limit();
int oriHeaderLen = byteBuffer.getInt();
int headerLength = getHeaderLength(oriHeaderLen);
Review comment:
The headerLength need an overflow check too.
if (headerLength >= length) {
throw xx
}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] codecov-commenter edited a comment on pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
codecov-commenter edited a comment on pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#issuecomment-969784316
# [Codecov](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#3475](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (c94098e) into [develop](https://codecov.io/gh/apache/rocketmq/commit/c6aeb782e59587c610ff8293462f028993fb8206?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (c6aeb78) will **increase** coverage by `0.49%`.
> The diff coverage is `28.57%`.
[](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
```diff
@@ Coverage Diff @@
## develop #3475 +/- ##
=============================================
+ Coverage 48.30% 48.79% +0.49%
- Complexity 4604 4650 +46
=============================================
Files 555 555
Lines 36723 36728 +5
Branches 4839 4841 +2
=============================================
+ Hits 17738 17922 +184
+ Misses 16752 16560 -192
- Partials 2233 2246 +13
```
| [Impacted Files](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [...pache/rocketmq/remoting/common/RemotingHelper.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cmVtb3Rpbmcvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3JlbW90aW5nL2NvbW1vbi9SZW1vdGluZ0hlbHBlci5qYXZh) | `13.41% <ø> (ø)` | |
| [...he/rocketmq/remoting/protocol/RemotingCommand.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cmVtb3Rpbmcvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3JlbW90aW5nL3Byb3RvY29sL1JlbW90aW5nQ29tbWFuZC5qYXZh) | `78.22% <0.00%> (ø)` | |
| [...cketmq/remoting/protocol/RocketMQSerializable.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cmVtb3Rpbmcvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3JlbW90aW5nL3Byb3RvY29sL1JvY2tldE1RU2VyaWFsaXphYmxlLmphdmE=) | `86.45% <33.33%> (-3.76%)` | :arrow_down: |
| [...ketmq/common/protocol/body/ConsumerConnection.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y29tbW9uL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jb21tb24vcHJvdG9jb2wvYm9keS9Db25zdW1lckNvbm5lY3Rpb24uamF2YQ==) | `95.83% <0.00%> (-4.17%)` | :arrow_down: |
| [...rocketmq/client/impl/factory/MQClientInstance.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y2xpZW50L3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jbGllbnQvaW1wbC9mYWN0b3J5L01RQ2xpZW50SW5zdGFuY2UuamF2YQ==) | `49.92% <0.00%> (-1.50%)` | :arrow_down: |
| [.../rocketmq/broker/filter/ConsumerFilterManager.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-YnJva2VyL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9icm9rZXIvZmlsdGVyL0NvbnN1bWVyRmlsdGVyTWFuYWdlci5qYXZh) | `72.19% <0.00%> (-0.90%)` | :arrow_down: |
| [...ent/impl/consumer/DefaultLitePullConsumerImpl.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y2xpZW50L3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jbGllbnQvaW1wbC9jb25zdW1lci9EZWZhdWx0TGl0ZVB1bGxDb25zdW1lckltcGwuamF2YQ==) | `69.03% <0.00%> (-0.52%)` | :arrow_down: |
| [...mq/client/impl/producer/DefaultMQProducerImpl.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y2xpZW50L3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jbGllbnQvaW1wbC9wcm9kdWNlci9EZWZhdWx0TVFQcm9kdWNlckltcGwuamF2YQ==) | `46.19% <0.00%> (-0.38%)` | :arrow_down: |
| [.../apache/rocketmq/logging/inner/LoggingBuilder.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bG9nZ2luZy9zcmMvbWFpbi9qYXZhL29yZy9hcGFjaGUvcm9ja2V0bXEvbG9nZ2luZy9pbm5lci9Mb2dnaW5nQnVpbGRlci5qYXZh) | `63.60% <0.00%> (-0.32%)` | :arrow_down: |
| [...he/rocketmq/client/producer/DefaultMQProducer.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y2xpZW50L3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jbGllbnQvcHJvZHVjZXIvRGVmYXVsdE1RUHJvZHVjZXIuamF2YQ==) | `57.34% <0.00%> (-0.21%)` | :arrow_down: |
| ... and [13 more](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | |
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Last update [c6aeb78...c94098e](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] dongeforever commented on pull request #3475: [Issue #3474] Fix illegal message attack
Posted by GitBox <gi...@apache.org>.
dongeforever commented on pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#issuecomment-991553024
LGTM.
All the size delimited serialization has such vulnerability
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] Aaron-He commented on a change in pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
Aaron-He commented on a change in pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#discussion_r751980767
##########
File path: remoting/src/main/java/org/apache/rocketmq/remoting/protocol/RocketMQSerializable.java
##########
@@ -157,6 +162,9 @@ public static RemotingCommand rocketMQProtocolDecode(final byte[] headerArray) {
// HashMap<String, String> extFields
int extFieldsLength = headerBuffer.getInt();
if (extFieldsLength > 0) {
+ if (extFieldsLength > headerArray.length) {
Review comment:
> Would it be more appropriate to replace `headerArray.length` with `headerBuffer.capacity() - headerBuffer.position()`?
`headerBuffer.capacity() - headerBuffer.position()` is more precise than `headerArray.length`.
Howerver, `headerBuffer.capacity() - headerBuffer.position()` has more subtraction operation than `headerArray.length`. Considering performance, `headerArray.length` may be more appropriate.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] Git-Yang commented on a change in pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
Git-Yang commented on a change in pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#discussion_r749889032
##########
File path: remoting/src/main/java/org/apache/rocketmq/remoting/protocol/RocketMQSerializable.java
##########
@@ -157,6 +162,9 @@ public static RemotingCommand rocketMQProtocolDecode(final byte[] headerArray) {
// HashMap<String, String> extFields
int extFieldsLength = headerBuffer.getInt();
if (extFieldsLength > 0) {
+ if (extFieldsLength > headerArray.length) {
Review comment:
Would it be more appropriate to replace `headerArray.length` with `headerBuffer.capacity() - headerBuffer.position()`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] zhouxinyu commented on pull request #3475: [Issue #3474] Fix illegal message attack
Posted by GitBox <gi...@apache.org>.
zhouxinyu commented on pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#issuecomment-991576649
Great catch. But this PR includes too many code style modifications, do you import the rmq_codeStyle.xml to your IDE?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] duhenglucky commented on a change in pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
duhenglucky commented on a change in pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#discussion_r751973080
##########
File path: acl/src/test/java/org/apache/rocketmq/acl/plain/PlainAccessValidatorTest.java
##########
@@ -39,16 +27,21 @@
import org.apache.rocketmq.common.protocol.heartbeat.HeartbeatData;
import org.apache.rocketmq.common.protocol.heartbeat.ProducerData;
import org.apache.rocketmq.common.protocol.heartbeat.SubscriptionData;
+import org.apache.rocketmq.remoting.exception.RemotingCommandException;
import org.apache.rocketmq.remoting.protocol.RemotingCommand;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
+import java.nio.ByteBuffer;
+import java.util.*;
Review comment:
Same with last comment
##########
File path: acl/src/test/java/org/apache/rocketmq/acl/plain/PlainAccessValidatorTest.java
##########
@@ -17,19 +17,7 @@
package org.apache.rocketmq.acl.plain;
-import java.nio.ByteBuffer;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.rocketmq.acl.common.AclClientRPCHook;
-import org.apache.rocketmq.acl.common.AclConstants;
-import org.apache.rocketmq.acl.common.AclException;
-import org.apache.rocketmq.acl.common.AclUtils;
-import org.apache.rocketmq.acl.common.SessionCredentials;
+import org.apache.rocketmq.acl.common.*;
Review comment:
Aggregating all imports is not a good practice
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] Git-Yang commented on a change in pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
Git-Yang commented on a change in pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#discussion_r747459180
##########
File path: remoting/src/main/java/org/apache/rocketmq/remoting/protocol/RocketMQSerializable.java
##########
@@ -149,6 +150,9 @@ public static RemotingCommand rocketMQProtocolDecode(final byte[] headerArray) {
// String remark
int remarkLength = headerBuffer.getInt();
if (remarkLength > 0) {
+ if (remarkLength > headerArray.length) {
Review comment:
Will it cause the similar problem if you modify other values in the header?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] coveralls commented on pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
coveralls commented on pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#issuecomment-969783961
[](https://coveralls.io/builds/44286623)
Coverage decreased (-0.009%) to 55.09% when pulling **9a15c9e6889f9e08c1247612067e6d88c69466d1 on Aaron-He:dev20211105** into **4b8b307901da19a1e562c883adc1bdaf8e111cfb on apache:develop**.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] dongeforever commented on a change in pull request #3475: [Issue #3474] Fix illegal message attack
Posted by GitBox <gi...@apache.org>.
dongeforever commented on a change in pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#discussion_r767130591
##########
File path: remoting/src/main/java/org/apache/rocketmq/remoting/protocol/RemotingCommand.java
##########
@@ -136,12 +137,12 @@ public static RemotingCommand createResponseCommand(int code, String remark) {
return createResponseCommand(code, remark, null);
}
- public static RemotingCommand decode(final byte[] array) {
+ public static RemotingCommand decode(final byte[] array) throws RemotingCommandException {
ByteBuffer byteBuffer = ByteBuffer.wrap(array);
return decode(byteBuffer);
}
- public static RemotingCommand decode(final ByteBuffer byteBuffer) {
+ public static RemotingCommand decode(final ByteBuffer byteBuffer) throws RemotingCommandException {
int length = byteBuffer.limit();
int oriHeaderLen = byteBuffer.getInt();
int headerLength = getHeaderLength(oriHeaderLen);
Review comment:
The headerLength need an overflow check too.
if (headerLength >= length) {
throw xx
}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] coveralls edited a comment on pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
coveralls edited a comment on pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#issuecomment-969783961
[](https://coveralls.io/builds/44364303)
Coverage increased (+0.06%) to 55.175% when pulling **c94098ecf408fecd75d8d4911ca83f293632c5da on Aaron-He:dev20211105** into **4bb99e656b1acc99d3a953f84ae0abcb74737af5 on apache:develop**.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] Aaron-He commented on a change in pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
Aaron-He commented on a change in pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#discussion_r751981478
##########
File path: acl/src/test/java/org/apache/rocketmq/acl/plain/PlainAccessValidatorTest.java
##########
@@ -39,16 +27,21 @@
import org.apache.rocketmq.common.protocol.heartbeat.HeartbeatData;
import org.apache.rocketmq.common.protocol.heartbeat.ProducerData;
import org.apache.rocketmq.common.protocol.heartbeat.SubscriptionData;
+import org.apache.rocketmq.remoting.exception.RemotingCommandException;
import org.apache.rocketmq.remoting.protocol.RemotingCommand;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
+import java.nio.ByteBuffer;
+import java.util.*;
Review comment:
> Same with last comment
headerBuffer.capacity() - headerBuffer.position() is more precise than headerArray.length.
Howerver, headerBuffer.capacity() - headerBuffer.position() has more subtraction operation than headerArray.length. Considering performance, headerArray.length may be more appropriate.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] codecov-commenter edited a comment on pull request #3475: [ISSUE #3474] fix illegal message attack
Posted by GitBox <gi...@apache.org>.
codecov-commenter edited a comment on pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#issuecomment-969784316
# [Codecov](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#3475](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (4bb99e6) into [develop](https://codecov.io/gh/apache/rocketmq/commit/c6aeb782e59587c610ff8293462f028993fb8206?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (c6aeb78) will **increase** coverage by `0.59%`.
> The diff coverage is `68.42%`.
> :exclamation: Current head 4bb99e6 differs from pull request most recent head c94098e. Consider uploading reports for the commit c94098e to get more accurate results
[](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
```diff
@@ Coverage Diff @@
## develop #3475 +/- ##
=============================================
+ Coverage 48.30% 48.89% +0.59%
- Complexity 4604 4658 +54
=============================================
Files 555 555
Lines 36723 36724 +1
Branches 4839 4839
=============================================
+ Hits 17738 17957 +219
+ Misses 16752 16523 -229
- Partials 2233 2244 +11
```
| [Impacted Files](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [...he/rocketmq/client/producer/DefaultMQProducer.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y2xpZW50L3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jbGllbnQvcHJvZHVjZXIvRGVmYXVsdE1RUHJvZHVjZXIuamF2YQ==) | `57.34% <ø> (-0.21%)` | :arrow_down: |
| [...ava/org/apache/rocketmq/store/MappedFileQueue.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-c3RvcmUvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3N0b3JlL01hcHBlZEZpbGVRdWV1ZS5qYXZh) | `62.85% <0.00%> (ø)` | |
| [...ocketmq/broker/processor/SendMessageProcessor.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-YnJva2VyL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9icm9rZXIvcHJvY2Vzc29yL1NlbmRNZXNzYWdlUHJvY2Vzc29yLmphdmE=) | `39.64% <50.00%> (-0.05%)` | :arrow_down: |
| [...ocketmq/store/schedule/ScheduleMessageService.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-c3RvcmUvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3N0b3JlL3NjaGVkdWxlL1NjaGVkdWxlTWVzc2FnZVNlcnZpY2UuamF2YQ==) | `73.83% <75.00%> (ø)` | |
| [...org/apache/rocketmq/store/DefaultMessageStore.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-c3RvcmUvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL3JvY2tldG1xL3N0b3JlL0RlZmF1bHRNZXNzYWdlU3RvcmUuamF2YQ==) | `56.23% <100.00%> (-0.05%)` | :arrow_down: |
| [.../rocketmq/broker/filter/ConsumerFilterManager.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-YnJva2VyL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9icm9rZXIvZmlsdGVyL0NvbnN1bWVyRmlsdGVyTWFuYWdlci5qYXZh) | `72.19% <0.00%> (-0.90%)` | :arrow_down: |
| [...ent/impl/consumer/DefaultLitePullConsumerImpl.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y2xpZW50L3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jbGllbnQvaW1wbC9jb25zdW1lci9EZWZhdWx0TGl0ZVB1bGxDb25zdW1lckltcGwuamF2YQ==) | `69.03% <0.00%> (-0.52%)` | :arrow_down: |
| [.../apache/rocketmq/logging/inner/LoggingBuilder.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-bG9nZ2luZy9zcmMvbWFpbi9qYXZhL29yZy9hcGFjaGUvcm9ja2V0bXEvbG9nZ2luZy9pbm5lci9Mb2dnaW5nQnVpbGRlci5qYXZh) | `63.60% <0.00%> (-0.32%)` | :arrow_down: |
| [...mq/client/impl/producer/DefaultMQProducerImpl.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-Y2xpZW50L3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9jbGllbnQvaW1wbC9wcm9kdWNlci9EZWZhdWx0TVFQcm9kdWNlckltcGwuamF2YQ==) | `46.44% <0.00%> (-0.13%)` | :arrow_down: |
| [...ava/org/apache/rocketmq/filter/util/BitsArray.java](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZmlsdGVyL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9yb2NrZXRtcS9maWx0ZXIvdXRpbC9CaXRzQXJyYXkuamF2YQ==) | `59.82% <0.00%> (ø)` | |
| ... and [12 more](https://codecov.io/gh/apache/rocketmq/pull/3475/diff?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | |
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Last update [c6aeb78...c94098e](https://codecov.io/gh/apache/rocketmq/pull/3475?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] duhenglucky merged pull request #3475: [Issue #3474] Fix illegal message attack
Posted by GitBox <gi...@apache.org>.
duhenglucky merged pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] duhenglucky commented on pull request #3475: [Issue #3474] Fix illegal message attack
Posted by GitBox <gi...@apache.org>.
duhenglucky commented on pull request #3475:
URL: https://github.com/apache/rocketmq/pull/3475#issuecomment-991578393
> Great catch. But this PR includes too many code style modifications, do you import the rmq_codeStyle.xml to your IDE?
Merge it first for security reason, code styles will be fix in another PR :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org