Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DISK Dos Attack Warning] should not use message publish time in checkMessageExpiry and AppendBrokerTimesampMetadataInterceptor should be config to brokerEntryMetadataInterceptors #21347

Open
1 of 2 tasks
xiaotongwang1 opened this issue Oct 12, 2023 · 0 comments
Open
1 of 2 tasks

[DISK Dos Attack Warning] should not use message publish time in checkMessageExpiry and AppendBrokerTimesampMetadataInterceptor should be config to brokerEntryMetadataInterceptors #21347

xiaotongwang1 opened this issue Oct 12, 2023 · 0 comments
Labels
type/bug The PR fixed a bug or issue reported a bug

Comments

@xiaotongwang1
Copy link
Contributor

Search before asking

  • I searched in the issues and found nothing similar.

Version

all pulsar version

Minimal reproduce step

1、brokerEntryMetadataInterceptors config not contain AppendBrokerTimesampMetadataInterceptor
2、create a topic and set retention and ttl to 5 min
3、pulsar client server change system time to some years later
4、publish message and start a pulsar consumer
5、stop pulsar consumer and continue publish message
6、message can not expire when ledger close and time reach

What did you expect to see?

NA

What did you see instead?

PersistentMessageExpiryMonitor
expireMessages(int messageTTLInSeconds) -->call Commands/MessageImpl.getEntryTimestamp(entry.getDataBuffer());

// get broker timestamp first if BrokerEntryMetadata is enabled with AppendBrokerTimestampMetadataInterceptor
BrokerEntryMetadata brokerEntryMetadata =Commands.parseBrokerEntryMetadataIfExist(headersAndPayloadWithBrokerEntryMetadata);
if (brokerEntryMetadata != null && brokerEntryMetadata.hasBrokerTimestamp()) {
    return brokerEntryMetadata.getBrokerTimestamp();
 }
// otherwise get the publish_time
return Commands.parseMessageMetadata(headersAndPayloadWithBrokerEntryMetadata).getPublishTime();

when brokerEntryMetadata.hasBrokerTimestamp() == false , pulsar server will use mesage publishTime
this will introduce vulnerability attack , server can not trust any client message data

Suggestions:
add AppendBrokerTimesampMetadataInterceptor to brokerEntryMetadataInterceptors

Anything else?

Others:
in transaction scenario , even when we config brokerEntryMetadataInterceptors=org.apache.pulsar.common.intercept.AppendIndexMetadataInterceptor, we can not get offset , i am not sure if brokerEntryMetadataInterceptors works in transaction produce

if brokerEntryMetadataInterceptors not work
maybe we need verify client publish time when server receive mesage .

Are you willing to submit a PR?

  • I'm willing to submit a PR!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug The PR fixed a bug or issue reported a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[fix][broker] Fix messages could not expire due to incorrect client clock 315157973/pulsar
1 participant
@xiaotongwang1