Secure key #67
Merged
Secure key #67
Commits on Mar 15, 2021
-
Cryptographically sign and verify redis key
The current implementation contains two potential security vulnerabilities. The Redis key assigned by Redbird could be manipulated to potentially access other data in Redis and assign it as part of the user's session information. Values stored in Redis are also being deserialized using an Erlang function that can execute functions stored as values. This change closes those potential security vulnerabilities by cryptographically signing the Redis key used by Redbird and by using a deserialization function that safely handles Erlang terms including functions. When a user places a key-value in Redis via Redbird, Redbird generates a key, signs it, and optionally prepends the namespace. When accessing the key from Redis, Redbird verifies the key, rejects keys that have been tampered with, and safely deserializes the stored Erlang terms. Likewise, Redbird only permits deletion of keys that are valid.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.