fix(deploy): 修复 Redis command YAML 折叠陷阱导致 --requirepass 静默失效#4028
Open
Chena2003 wants to merge 1 commit into
Open
fix(deploy): 修复 Redis command YAML 折叠陷阱导致 --requirepass 静默失效#4028Chena2003 wants to merge 1 commit into
Chena2003 wants to merge 1 commit into
Conversation
Redis 服务的 command 使用 YAML folded scalar (>), 但 sh -c 后的参数行 缩进更深,YAML 保留换行而非折叠成空格。shell 把换行当作命令分隔符, 导致 redis-server 以无参数默认配置启动,--save / --appendonly / --requirepass 全部静默失效。 改为数组形式 command + >- 折叠标量,确保所有参数在同一行传给 sh -c, 并加 exec 让 redis-server 成为 PID 1 正确接收 SIGTERM。 验证: docker compose config 确认解析后的 command 为单行完整命令, REDIS_PASSWORD 设置时 --requirepass 正确生效,未设置时正确省略。 涉及文件: - deploy/docker-compose.yml - deploy/docker-compose.dev.yml - deploy/docker-compose.local.yml
Contributor
|
All contributors have signed the CLA. ✅ |
Author
补充:实际安全事件背景这个 YAML 陷阱不是理论上的问题,我在生产环境中已经因为它遭遇了一次 Redis 未授权访问安全事件。以下是经过简化的复盘,供维护者参考这个 bug 的实际危害。 事件经过
用户感知Redis 变成只读从节点后,所有写操作被拒绝。登录接口的限流中间件(fail-close 策略)对 Redis 执行
无论换 IP、等多久都无法登录。排查后发现 41870 次同步重试意味着 Redis 已被入侵约 5 天。 为什么没造成严重后果
实际损失
教训这个 bug 的危险之处在于静默失败:配置看起来正确,容器启动正常,业务能跑,没有任何报错。只有被攻击时才暴露。如果端口暴露的问题没有在 希望这个 PR 能防止其他用户踩到同样的坑。 |
Author
|
I have read the CLA Document and I hereby sign the CLA |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
问题
三个 Docker Compose 文件中 Redis 服务的
command使用 YAML folded scalar (>):sh -c '行的缩进(4 空格)比后续参数行(8 空格)浅,按 YAML>折叠规则,更深缩进的行之间保留换行符而非折叠成空格。解析结果:shell 把换行当作命令分隔符,
redis-server以无参数默认配置启动,--save、--appendonly、--requirepass全部静默失效。因为redis-server是前台阻塞进程,后续行永远不会执行。后果:即使
.env中设置了REDIS_PASSWORD,Redis 仍以无密码运行。端口映射虽然已在 #18790386 移除,但若攻击者通过其他途径进入 Docker 内网,Redis 仍处于无认证状态。修复
改为数组形式
command+>-折叠标量:sh精确收到三个参数,无歧义>-将同缩进行的换行折叠为空格,sh -c收到完整的单行命令exec让redis-server替换 sh 进程成为 PID 1,正确接收 Docker SIGTERM验证
三个文件均已验证:
deploy/docker-compose.ymldeploy/docker-compose.dev.ymldeploy/docker-compose.local.ymlFixes #2511
Fixes #291