ACLs were not considered when processing commands coming over WebSocket
connections. WS commands that are disabled with ACLs are now rejected
with a custom message for JSON and raw WS clients, the two supported
formats for this protocol. For JSON an equivalent HTTP status code is
included in the response, although this is only an indication of how
Webdis would have responded if it came from a regular HTTP request.
Tests are added to validate that DEBUG commands are rejected by Webdis
without even making it to Redis, for both JSON and raw WS clients.
Add DEBUG OBJECT demo to websocket.html: DEBUG is disabled with ACLs
by default in webdis.json. A DEBUG button is added to the WebSocket
HTML demo to show what kind of response is produced when WebSocket
clients attempt to send such a command.
The error responses are documented in the README in the ACL section.
Fixes#240.
New feature: added support for TCP keep-alive on connections to Redis.
Bugfix: TRACE logs were not correctly identified as such in the logs,
they should now appear with a T prefix.
Security: this is also a security update, fixing vulnerabilities found
in the OpenSSL library, installed from Alpine Linux packages (Alpine
Linus provides the base image for Webdis).
Impact: Webdis can connect to external Webdis instances over TLS.
By default, it does not use TLS to connect to Redis, but interfaces
with Redis over a local connection within the Docker container.
Please review whether these OpenSSL vulnerabilities affect your
deployment. If you do not use TLS to connect to Redis, then you should
not be affected.
openssl 3.0.8-r1 - 1 HIGH, 6 MEDIUM
pkg:apk/alpine/openssl@3.0.8-r1?os_name=alpine&os_version=3.17
* HIGH CVE-2023-2650
https://scout.docker.com/v/CVE-2023-2650
Affected range : <3.0.9-r0
Fixed version : 3.0.9-r0
* MEDIUM CVE-2023-1255
https://scout.docker.com/v/CVE-2023-1255
Affected range : <3.0.8-r4
Fixed version : 3.0.8-r4
* MEDIUM CVE-2023-3817
https://scout.docker.com/v/CVE-2023-3817
Affected range : <3.0.10-r0
Fixed version : 3.0.10-r0
* MEDIUM CVE-2023-3446
https://scout.docker.com/v/CVE-2023-3446
Affected range : <3.0.9-r3
Fixed version : 3.0.9-r3
* MEDIUM CVE-2023-2975
https://scout.docker.com/v/CVE-2023-2975
Affected range : <3.0.9-r2
Fixed version : 3.0.9-r2
* MEDIUM CVE-2023-0466
https://scout.docker.com/v/CVE-2023-0466
Affected range : <3.0.8-r3
Fixed version : 3.0.8-r3
* MEDIUM CVE-2023-0465
https://scout.docker.com/v/CVE-2023-0465
Affected range : <3.0.8-r2
Fixed version : 3.0.8-r2
openssl1.1-compat 1.1.1t-r1 -- 2 MEDIUM
pkg:apk/alpine/openssl1.1-compat@1.1.1t-r1?os_name=alpine&os_version=3.17
* MEDIUM CVE-2023-3446
https://scout.docker.com/v/CVE-2023-3446
Affected range : <1.1.1u-r1
Fixed version : 1.1.1u-r1
* MEDIUM CVE-2023-0465
https://scout.docker.com/v/CVE-2023-0465
Affected range : <1.1.1t-r2
Fixed version : 1.1.1t-r2
Security update, fixing vulnerabilities found in the Alpine Linux base
image as well as the embedded Redis service and SSL libraries.
Additionally and not related to security: fixed build issues with
CentOS 7
= Security fixes =
Urgency: HIGH
Note for the list of vulnerabilities provided below:
The "Impact" described only applies if the Webdis image is used
without changes. If Webdis is used as a base image, please review
whether the changes made to it can cause these vulnerabilities to
become exploitable.
== Critical severity ==
Description: Out-of-bounds Write in zlib (CVE-2022-37434)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-ZLIB-2976174
Origin: zlib/zlib@1.2.11-r3, from the base image
Impact: Webdis uses zlib to support HTTP compression
== High severity ==
Description: Loop with Unreachable Exit Condition ('Infinite Loop')
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2426333
Origin: openssl/libcrypto1.1
Impact: Webdis only uses TLS to connect to Redis
Description: Execute arbitrary code via netstat (CVE-2022-28391)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-BUSYBOX-2440608
Origin: introduced by the base image, alpine:3.14.3
Impact: netstat is not used by Webdis
Description: Arbitrary Code Injection in Redis (CVE-2022-24735)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-2805760
Origin: introduced by the embedded Redis service, version 6.2.6
Impact: Webdis embeds this vulnerable version of Redis
Description: NULL Pointer Dereference in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314660
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS
Description: Double Free in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314657
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS
Description: Access of Resource Using Incompatible Type in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314651
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS
Description: Use After Free in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314650
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS
Description: NULL Pointer Dereference in LibSSL3
Info: https://snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314647
Origin: introduced by libssl3, a dependency of Redis
Impact: Webdis connects to its internal Webdis instance over TLS
== Medium severity ==
Description: NULL Pointer Dereference in Redis (CVE-2022-24736)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-2805761
Origin: introduced by the embedded Redis service, version 6.2.6
Impact: Webdis embeds this vulnerable version of Redis
Description: Inadequate Encryption Strength in openssl (CVE-2022-2097)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2941807
Origin: openssl/openssl@1.1.1l-r0, openssl/libssl1.1@1.1.1l-r0
Impact: Webdis only uses TLS to connect to Redis
== Low severity ==
Description: Integer Overflow or Wraparound in Redis (CVE-2022-35977)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-3243491
Origin: introduced by the embedded Redis service, version 6.2.6
Impact: Webdis embeds this vulnerable version of Redis
Description: Integer Overflow or Wraparound in Redis (CVE-2023-22458)
Info: https://security.snyk.io/vuln/SNYK-ALPINE314-REDIS-3243489
Origin: introduced by the embedded Redis service, version 6.2.6
Impact: Webdis embeds this vulnerable version of Redis
Several string functions were used without an explicit include.
This was discovered using an old version of GCC which warned about them;
these warnings are not seen with more recent compilers.
This was unnecessarily limiting, since users could legitimately want to
use a symlink for the config file. It is also unsupported on some
platforms; this was discovered when attempting to build Webdis on CentOS 7.
- Smaller Docker image size
- Bugfix: avoid responding to the wrong client (this could happen in rare cases)
- Better handling of WebSocket frames (details in #212)
- Fix regression introduced in 0.1.19, causing an empty header to be sent (#217)
Fix for #217, a regression added in #205. The "header_count"
field was incremented even when we overwrote a header entry, which
caused Webdis to send a header with no name and no value.
Better handling of WS client frames, contributed in the comments of #212:
* Reject unmasked frames as per RFC 6455
* Avoid unnecessary data copy from/to evbuffer
* Remove conditions on has_mask
2 new tests cover this change:
* minimal ping-pong with masked client frame, unmasked response
* rejected unmasked client frame
Slightly adapted from a proposed change by @majklik on GitHub in
issue #212 (one invalid read fixed and a memory leak avoided).
This marks an inflight cmd's fd as -1 when the HTTP client disconnects,
which prevents the later response from Redis from being sent to a new
client which has connected in the meantime and been assigned the same
client fd.
- Performance: avoid redundant operations when building HTTP responses.
- Fix HTTP parser bug on architectures that used unsigned "char" types.
- Fix crash when receiving "FIN" WebSocket frame (#209).
Fixes#209. A WS client socket closure could cause Webdis to schedule
the send of a closing frame, leading to both EV_READ and EV_WRITE
scheduled events. They would both fail and each lead to a call to
ws_client_free, causing a double free that ends in a crash.
http_parser.c has a table named "unhex" that it uses to convert hex
characters to their numeric values, e.g. 'F' -> 15. For non-hex
characters, the value is -1 but while the table contains int8_t values,
the extraction is done using a char. On ARMv8, char is *unsigned*, which
means it can't be compared to -1 as this is always false. Comparing to
(char)-1 instead will work.
Almost all header entries are guaranteed to be added only once, so we
don't need to check for duplicates all the time. In the current code
base only Content-Length has the potential for being added twice, and
even then it seems highly unlikely. For all others, we can now bypass
this check.
This commit also changes the header_copy flags to be 1-bit flags, so
that they can be combined.
Allocate the headers array once with the default number of entries
sufficient for most requests, and only re-allocate if needed instead of
re-allocating with each header.
http_response has an array of http_header key/value pairs, and most of
the time these use constant strings that do not need to be copied and
re-allocated. This change adds a flag tracking which values need to be
copied, were copied and need to be freed.
New feature: support for SSL connections to Redis.
Webdis can now connect securely to Redis, thanks to the Hiredis
client library. Docker images for Webdis will now contain two binaries,
"webdis" and "webdis-ssl", the latter depending on OpenSSL.
See Webdis README for details: https://github.com/nicolasff/webdis#configuring-webdis-with-ssl
Security update: upgrading the version of Redis bundled in
the Webdis image to fix a number of severe vulnerabilities.
* Low severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727801
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* Medium severity vulnerability found in redis/redis
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727803
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Allocation of Resources Without Limits or Throttling
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727783
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: CVE-2021-32626
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727820
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727822
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727823
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727825
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727826
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* Many improvements to WebSocket implementation (#198, #199). WebSocket
support is now much more stable, and better tested. The feature is
still disabled by default, but is recommended for testing.
* Base image updated from Alpine 3.12.7 to 3.14.2 to resolve
vulnerabilities found in Alpine. Webdis itself is not at risk, but
images *based* on Webdis could be using vulnerable software if they
use packages from Alpine 3.12.7.
This is not really uninitialized, it would only happen if the string
dumped with dump_string was empty of contained invalid UTF-8. Setting
an initial value has no effect since codepoint is used as an "out"
value in utf8_iterate.
Also mark the WS client as closing before we close the Redis connection,
to avoid its last error callback (if sent) trying to send out data while
we're in the middle of freeing the client.
Jessie Murray
Nicolas Favre-Felix