-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Possible DoS attack vector with forged realm IDs #541
Comments
Neither the default realm context resolver nor the default call context resolver seems suitable for production usage: Line 50 in 85f0beb
Line 40 in 85f0beb
|
Investigating this a bit more, I think the most problematic aspects are: 1 On the bright side, I think that the internal maps would not grow uncontrollably in a "real-life" scenario with EclipseLink and a real database, because the realm initialization would fail on an unknown realm: Line 181 in aee3a02
And that initialization would be triggered by the Line 510 in b844686
That said, it still feels a bit fragile to attempt to create a meta store session for any realm, even unknown, even if from an unauthenticated request, only to see the attempt fail. (Also, EclipseLink with the default |
With #594 we have a first step into properly mitigating this issue. It makes it impossible, using the default realm resolver, to inject unknown realms into the application. |
Is this a possible security vulnerability?
Describe the bug
So this is a bit of a security vulnerability, but it's already public, and we don't have any official release yet, so 🤷♂️
It is possible for a malicious actor to cause Polaris to OOM by flooding the server with requests having random realm IDs.
This is possible because a) the default
RealmContextResolver
does not validate that the realm exists and b) many components maintain an unbounded cache of objects keyed by realm ID, e.g.:RealmScopeContext
RealmEntityManagerFactory
RealmTokenBucketRateLimiter
LocalPolarisMetaStoreManagerFactory
I suggest the following mitigation measures:
RealmContextResolver
MUST validate the realm IDs – which means that we need to persist realms in the database or somewhere else (maybe in configuration?)To Reproduce
No response
Actual Behavior
No response
Expected Behavior
No response
Additional context
No response
System information
No response
The text was updated successfully, but these errors were encountered: