Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Prevent DoS attacks by rejecting unknown realms #594

Merged
merged 1 commit into from
Jan 14, 2025
Merged

Prevent DoS attacks by rejecting unknown realms #594

merged 1 commit into from
Jan 14, 2025

Conversation

adutra
Copy link
Contributor

@adutra adutra commented Dec 27, 2024
edited
Loading

Now ready for review.

This PR fixes #541 by preventing unknown realms to proceed.

It's probably not the definitive way of declaring realms, but given that we don't have an API yet to manage realms, the best solution is to declare known realms upfront in the configuration.

This PR also introduces a TestRealmContextResolver that is basically the old realm context resolver, and which is used in tests only.

@adutra adutra mentioned this pull request Dec 27, 2024
Closed
1 task
@adutra adutra force-pushed the realms-configuration branch 15 times, most recently from 14c5f45 to f2b0110 Compare January 9, 2025 14:01
@adutra adutra force-pushed the realms-configuration branch 7 times, most recently from 61a33c8 to d2fb2d5 Compare January 13, 2025 20:54
@adutra adutra force-pushed the realms-configuration branch from d2fb2d5 to 57fc8cb Compare January 14, 2025 10:56
@adutra adutra changed the title [WIP] Prevent DoS attacks by rejecting unknown realms Prevent DoS attacks by rejecting unknown realms Jan 14, 2025
@adutra adutra marked this pull request as ready for review January 14, 2025 10:58
@adutra
Copy link
Contributor Author

adutra commented Jan 14, 2025

Ready for review.

snazy
snazy reviewed Jan 14, 2025
View reviewed changes
Copy link
Member

@snazy snazy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this change is fine to fix at least the possible DoS attack.
We can always make the realm-resolution dynamic later.

@adutra adutra merged commit a75bbdd into apache:main Jan 14, 2025
5 checks passed
@adutra adutra deleted the realms-configuration branch January 14, 2025 11:29
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@snazy snazy snazy approved these changes

@ashvina ashvina Awaiting requested review from ashvina ashvina is a code owner

@dimas-b dimas-b Awaiting requested review from dimas-b dimas-b is a code owner

@eric-maynard eric-maynard Awaiting requested review from eric-maynard eric-maynard is a code owner

@jackye1995 jackye1995 Awaiting requested review from jackye1995 jackye1995 is a code owner

@jbonofre jbonofre Awaiting requested review from jbonofre jbonofre is a code owner

@vvcephei vvcephei Awaiting requested review from vvcephei vvcephei is a code owner

@collado-mike collado-mike Awaiting requested review from collado-mike collado-mike is a code owner

@RussellSpitzer RussellSpitzer Awaiting requested review from RussellSpitzer RussellSpitzer is a code owner

@takidau takidau Awaiting requested review from takidau takidau is a code owner

@flyrain flyrain Awaiting requested review from flyrain flyrain is a code owner

@ebyhr ebyhr Awaiting requested review from ebyhr ebyhr is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Possible DoS attack vector with forged realm IDs
2 participants
@adutra @snazy