You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@geode.apache.org by GitBox <gi...@apache.org> on 2021/10/18 21:16:55 UTC
[GitHub] [geode] nonbinaryprogrammer commented on a change in pull request #6994: GEODE-9676: Limit array and string sizes for unauthenticated Radish connections
nonbinaryprogrammer commented on a change in pull request #6994:
URL: https://github.com/apache/geode/pull/6994#discussion_r731316669
##########
File path: geode-for-redis/src/integrationTest/java/org/apache/geode/redis/internal/executor/connection/AbstractAuthIntegrationTest.java
##########
@@ -128,4 +148,128 @@ public void givenNoSecurity_accessWithoutAuth_passes() throws Exception {
assertThat(jedis.ping()).isEqualTo("PONG");
}
+ @Test
+ public void givenSecurity_largeMultiBulkRequestsFail_whenNotAuthenticated() throws Exception {
+ setupCacheWithSecurity();
+
+ try (Socket clientSocket = new Socket(BIND_ADDRESS, getPort())) {
+ clientSocket.setSoTimeout(1000);
+ PrintWriter out = new PrintWriter(clientSocket.getOutputStream());
+ BufferedReader in = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));
+
+ out.write("*100\r\n");
+ out.flush();
+ String response = in.readLine();
+
+ assertThat(response).contains(ERROR_UNAUTHENTICATED_MULTIBULK);
+ }
+ }
+
+ @Test
+ public void givenSecurity_largeMultiBulkRequestsSucceed_whenAuthenticated() throws Exception {
+ setupCacheWithSecurity();
+
+ List<String> msetArgs = new ArrayList<>();
+ for (int i = 0; i < ByteToCommandDecoder.UNAUTHENTICATED_MAX_ARRAY_SIZE; i++) {
+ msetArgs.add("{hash}key-" + i);
+ msetArgs.add("value-" + i);
+ }
+
+ assertThat(jedis.auth(getUsername(), getPassword())).isEqualTo("OK");
+ assertThat(jedis.mset(msetArgs.toArray(new String[] {}))).isEqualTo("OK");
+ }
+
+ @Test
+ public void givenNoSecurity_largeMultiBulkRequestsSucceed_whenNotAuthenticated()
+ throws Exception {
+ setupCacheWithoutSecurity();
+
+ List<String> msetArgs = new ArrayList<>();
+ for (int i = 0; i < ByteToCommandDecoder.UNAUTHENTICATED_MAX_ARRAY_SIZE; i++) {
+ msetArgs.add("{hash}key-" + i);
+ msetArgs.add("value-" + i);
+ }
+
+ assertThat(jedis.mset(msetArgs.toArray(new String[] {}))).isEqualTo("OK");
+ }
+
+ @Test
+ public void givenSecurity_largeBulkStringRequestsFail_whenNotAuthenticated() throws Exception {
+ setupCacheWithSecurity();
+
+ try (Socket clientSocket = new Socket(BIND_ADDRESS, getPort())) {
+ clientSocket.setSoTimeout(1000);
+ PrintWriter out = new PrintWriter(clientSocket.getOutputStream());
+ BufferedReader in = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));
+
+ out.write("*1\r\n$100000000\r\n");
+ out.flush();
+ String response = in.readLine();
+
+ assertThat(response).contains(ERROR_UNAUTHENTICATED_BULK);
+ }
+ }
+
+ @Test
+ public void givenSecurity_largeBulkStringRequestsSucceed_whenAuthenticated() throws Exception {
+ setupCacheWithSecurity();
+ int stringSize = ByteToCommandDecoder.UNAUTHENTICATED_MAX_BULK_STRING_LENGTH + 1;
+
+ String largeString = StringUtils.repeat('a', stringSize);
+
+ assertThat(jedis.auth(getUsername(), getPassword())).isEqualTo("OK");
+ assertThat(jedis.set("key", largeString)).isEqualTo("OK");
+ }
+
+ @Test
+ public void givenNoSecurity_largeBulkStringRequestsSucceed_whenNotAuthenticated()
+ throws Exception {
+ setupCacheWithoutSecurity();
+ int stringSize = ByteToCommandDecoder.UNAUTHENTICATED_MAX_BULK_STRING_LENGTH + 1;
+
+ String largeString = StringUtils.repeat('a', stringSize);
+
+ assertThat(jedis.set("key", largeString)).isEqualTo("OK");
+ }
Review comment:
might be nice to have a test like this for the case where there is security but we aren't authenticated, where the string size is over the UNAUTHENTICATED_MAX_BULK_STRING_LENGTH
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@geode.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org