diff options
| author | Oran Agra <oran@redislabs.com> | 2020-08-13 16:41:05 +0300 |
|---|---|---|
| committer | Oran Agra <oran@redislabs.com> | 2020-12-06 14:54:34 +0200 |
| commit | ca1c182567add4092e9cb6ea829e9c5193e8fd55 (patch) | |
| tree | c4ccd1e235d797066dda7e24bccec9b5473d7981 /redis.conf | |
| parent | c4fdf09c0584a3cee32b92f01b7958c72776aedc (diff) | |
| download | redis-ca1c182567add4092e9cb6ea829e9c5193e8fd55.tar.gz | |
Sanitize dump payload: ziplist, listpack, zipmap, intset, stream
When loading an encoded payload we will at least do a shallow validation to
check that the size that's encoded in the payload matches the size of the
allocation.
This let's us later use this encoded size to make sure the various offsets
inside encoded payload don't reach outside the allocation, if they do, we'll
assert/panic, but at least we won't segfault or smear memory.
We can also do 'deep' validation which runs on all the records of the encoded
payload and validates that they don't contain invalid offsets. This lets us
detect corruptions early and reject a RESTORE command rather than accepting
it and asserting (crashing) later when accessing that payload via some command.
configuration:
- adding ACL flag skip-sanitize-payload
- adding config sanitize-dump-payload [yes/no/clients]
For now, we don't have a good way to ensure MIGRATE in cluster resharding isn't
being slowed down by these sanitation, so i'm setting the default value to `no`,
but later on it should be set to `clients` by default.
changes:
- changing rdbReportError not to `exit` in RESTORE command
- adding a new stat to be able to later check if cluster MIGRATE isn't being
slowed down by sanitation.
Diffstat (limited to 'redis.conf')
| -rw-r--r-- | redis.conf | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/redis.conf b/redis.conf index b11459b26..13766171e 100644 --- a/redis.conf +++ b/redis.conf @@ -366,6 +366,21 @@ rdbcompression yes # tell the loading code to skip the check. rdbchecksum yes +# Enables or disables full sanitation checks for ziplist and listpack etc when +# loading an RDB or RESTORE payload. This reduces the chances of a assertion or +# crash later on while processing commands. +# Options: +# no - Never perform full sanitation +# yes - Always perform full sanitation +# clients - Perform full sanitation only for user connections. +# Excludes: RDB files, RESTORE commands received from the master +# connection, and client connections which have the +# skip-sanitize-payload ACL flag. +# The default should be 'clients' but since it currently affects cluster +# resharding via MIGRATE, it is temporarily set to 'no' by default. +# +# sanitize-dump-payload no + # The filename where to dump the DB dbfilename dump.rdb @@ -725,6 +740,8 @@ replica-priority 100 # off Disable the user: it's no longer possible to authenticate # with this user, however the already authenticated connections # will still work. +# skip-sanitize-payload RESTORE dump-payload sanitation is skipped. +# sanitize-payload RESTORE dump-payload is sanitized (default). # +<command> Allow the execution of that command # -<command> Disallow the execution of that command # +@<category> Allow the execution of all the commands in such category |