lua-resty-session icon indicating copy to clipboard operation
lua-resty-session copied to clipboard
verified publisher icon bungle

fix(*): fix security vulnerability and database selection

Open outsinre opened this issue 1 year ago • 4 comments

  1. If two redis clients share the same connection but use different database, both clients might receive error upon set/get data.
  2. If a client without authentication shares a connection that is authenticated by other clients, this client bypass ACL.

FTI-5839

outsinre avatar Apr 29 '24 13:04 outsinre

@outsinre could you add tests?

bungle avatar May 02 '24 13:05 bungle

@outsinre can you also explain security vulnerability? I guess this is somewhat related to connection pooling that can be shared by some other app?

bungle avatar May 02 '24 13:05 bungle

This library supports pool_name: https://github.com/bungle/lua-resty-session/blob/master/lib/resty/session/redis.lua#L191

So I guess it is just the default pool name generation (which this library does not try to do, it leaves that to either user of this library or the library this library uses for connecting redis)?

bungle avatar May 02 '24 14:05 bungle

To be honest, I don't see any problem with this library. Should we have default pool name generation? Not sure. Should it be part of resty.redis library, why here? Or should it be problem of system that is using this library, in this case Kong?

bungle avatar May 02 '24 14:05 bungle