ACL: Fix parsing issue leading to denail of service

Fix for CVE-2024-31227 This patch was provided to us by Valkey, who received it from Redis Ltd. > An authenticated user with sufficient privileges may create a > malformed ACL selector which, when accessed, triggers a server panic > and subsequent denial of service. Fixes: https://codeberg.org/redict/redict/issues/54 Signed-off-by: Drew DeVault <sir@cmpwn.com>
2025-01-21 23:58:51 -05:00 · 2024-09-16 08:54:30 +02:00 · 2024-09-16 08:54:30 +02:00 · e035e7b763
commit e035e7b763
parent a4c8110232
2 changed files with 6 additions and 1 deletions
--- a/src/acl.c
+++ b/src/acl.c
@ -1073,7 +1073,7 @@ int ACLSetSelector(aclSelector *selector, const char* op, size_t oplen) {
                    flags |= ACL_READ_PERMISSION;
                } else if (toupper(op[offset]) == 'W' && !(flags & ACL_WRITE_PERMISSION)) {
                    flags |= ACL_WRITE_PERMISSION;
-                } else if (op[offset] == '~') {
+                } else if (op[offset] == '~' && flags) {
                    offset++;
                    break;
                } else {
--- a/tests/unit/acl-v2.tcl
+++ b/tests/unit/acl-v2.tcl
@ -122,6 +122,11 @@ start_server {tags {"acl external:skip"}} {
        assert_match "*NOPERM*key*" $err
    }

+    test {Validate read and write permissions format} {
+        catch {r ACL SETUSER key-permission-RW %~} err
+        set err
+    } {ERR Error in ACL SETUSER modifier '%~': Syntax error}
+
    test {Test separate read and write permissions on different selectors are not additive} {
        r ACL SETUSER key-permission-RW-selector on nopass "(%R~read* +@all)" "(%W~write* +@all)"
        $r2 auth key-permission-RW-selector password