safer_redis 1.0.0 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/Gemfile.lock +13 -11
- data/README.md +8 -1
- data/lib/safer_redis/assessor.rb +30 -0
- data/lib/safer_redis/command_doc.rb +4 -0
- data/lib/safer_redis/danger.rb +7 -0
- data/lib/safer_redis/interceptor.rb +4 -1
- data/lib/safer_redis/suggestion.rb +24 -0
- data/lib/safer_redis/version.rb +1 -1
- data/lib/safer_redis.rb +0 -6
- metadata +6 -5
- data/safer_redis.gemspec +0 -35
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 790845a432c5b85fa5261a8cbca3170058adcc00352f79ae3a1d211e5027b7dc
|
|
4
|
+
data.tar.gz: 9bacdc397e449211800e19ccd0fb6e99089215db5fbd52593d452ec8b73f44d8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f0fa1a49e44253388abaa4483ad9ceeae25b65386c1ed5ecff2820075905245d45684aabd0dfb475041739ec1b938ddcf125e3546d52b22d1380e30793b823f6
|
|
7
|
+
data.tar.gz: ee4c6847111eb19a6e2d836e557826a3cf9a4a14219dfcb9734e26b9728d9f8649960aa0071c2a2de68f83b421c339713e92291d52b796f8926e3e15cc118b54
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
## [Unreleased]
|
|
2
2
|
|
|
3
|
+
## [1.2.0] - 2023-11-14
|
|
4
|
+
|
|
5
|
+
- Allow `DEL` (`@slow`) if `lazyfree-lazy-user-del` server option is enabled.
|
|
6
|
+
|
|
7
|
+
## [1.1.0] - 2023-01-07
|
|
8
|
+
|
|
9
|
+
- Allow `@slow` if it's only `O(1)` complexity, e.g. the `SET` (string) command.
|
|
10
|
+
|
|
3
11
|
## [1.0.0] - 2022-12-02
|
|
4
12
|
|
|
5
13
|
- Initial release
|
data/Gemfile.lock
CHANGED
|
@@ -1,37 +1,39 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
safer_redis (
|
|
4
|
+
safer_redis (1.1.0)
|
|
5
5
|
redis (>= 4.6.0)
|
|
6
6
|
zeitwerk
|
|
7
7
|
|
|
8
8
|
GEM
|
|
9
9
|
remote: https://rubygems.org/
|
|
10
10
|
specs:
|
|
11
|
-
connection_pool (2.
|
|
11
|
+
connection_pool (2.4.1)
|
|
12
12
|
diff-lcs (1.5.0)
|
|
13
|
-
rake (13.0
|
|
14
|
-
redis (5.0.
|
|
15
|
-
redis-client (>= 0.
|
|
16
|
-
redis-client (0.
|
|
13
|
+
rake (13.1.0)
|
|
14
|
+
redis (5.0.8)
|
|
15
|
+
redis-client (>= 0.17.0)
|
|
16
|
+
redis-client (0.18.0)
|
|
17
17
|
connection_pool
|
|
18
18
|
rspec (3.12.0)
|
|
19
19
|
rspec-core (~> 3.12.0)
|
|
20
20
|
rspec-expectations (~> 3.12.0)
|
|
21
21
|
rspec-mocks (~> 3.12.0)
|
|
22
|
-
rspec-core (3.12.
|
|
22
|
+
rspec-core (3.12.2)
|
|
23
23
|
rspec-support (~> 3.12.0)
|
|
24
|
-
rspec-expectations (3.12.
|
|
24
|
+
rspec-expectations (3.12.3)
|
|
25
25
|
diff-lcs (>= 1.2.0, < 2.0)
|
|
26
26
|
rspec-support (~> 3.12.0)
|
|
27
|
-
rspec-mocks (3.12.
|
|
27
|
+
rspec-mocks (3.12.6)
|
|
28
28
|
diff-lcs (>= 1.2.0, < 2.0)
|
|
29
29
|
rspec-support (~> 3.12.0)
|
|
30
|
-
rspec-support (3.12.
|
|
31
|
-
zeitwerk (2.6.
|
|
30
|
+
rspec-support (3.12.1)
|
|
31
|
+
zeitwerk (2.6.12)
|
|
32
32
|
|
|
33
33
|
PLATFORMS
|
|
34
34
|
x86_64-darwin-21
|
|
35
|
+
x86_64-darwin-22
|
|
36
|
+
x86_64-darwin-23
|
|
35
37
|
|
|
36
38
|
DEPENDENCIES
|
|
37
39
|
rake (~> 13.0)
|
data/README.md
CHANGED
|
@@ -4,9 +4,16 @@ SaferRedis wraps a Redis connection, and warns you before letting through comman
|
|
|
4
4
|
|
|
5
5
|
Inspiration is taken from https://github.com/ankane/strong_migrations which provides similar guard-rails for potentially dangerous database migrations.
|
|
6
6
|
|
|
7
|
+
## Special cases
|
|
8
|
+
|
|
9
|
+
Commands tagged as `@slow` but with only O(1) complexity are not considered dangerous. This includes
|
|
10
|
+
e.g. the extremely commonly used `SET` command.
|
|
11
|
+
|
|
12
|
+
The [`DEL`](https://redis.io/commands/del/) command (`@slow`) is treated as [`UNLINK`](https://redis.io/commands/unlink/) (`@fast`) when the `lazyfree-lazy-user-del` server option is set.
|
|
13
|
+
|
|
7
14
|
## Limitations
|
|
8
15
|
|
|
9
|
-
Currently SaferRedis works with the [`redis` gem](https://rubygems.org/gems/redis) from https://github.com/redis/redis-rb (regardless of which connection adapter is being used, e.g. [`hiredis`](https://rubygems.org/gems/hiredis)) by hooking into the private `#send_command` method which was introduced in v4.6.0. This isn't a stable API, so other interception strategies will be considered and may be added in future. Some Redis connectors/drivers
|
|
16
|
+
Currently SaferRedis works with the [`redis` gem](https://rubygems.org/gems/redis) from https://github.com/redis/redis-rb (regardless of which connection adapter is being used, e.g. [`hiredis`](https://rubygems.org/gems/hiredis)) by hooking into the private `#send_command` method which was introduced in v4.6.0. This isn't a stable API, so other interception strategies will be considered and may be added in future. Some Redis connectors/drivers support middleware, but others don't.
|
|
10
17
|
|
|
11
18
|
Some commands are documented at the subcommand level as multiple words (e.g. `CLIENT LIST`). SaferRedis currently only recognises commands documented at their top-level single word (e.g. `DEL`). Support for multi-word commands will be considered and may be added in future.
|
|
12
19
|
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "json"
|
|
4
|
+
|
|
5
|
+
module SaferRedis
|
|
6
|
+
class Assessor
|
|
7
|
+
def self.assess!(doc, redis:)
|
|
8
|
+
# DEL becomes UNLINK if lazyfree-lazy-user-del is set
|
|
9
|
+
# https://github.com/redis/redis/pull/6243
|
|
10
|
+
# https://redis.io/docs/management/config-file/
|
|
11
|
+
if doc.name == "DEL" && config_get("lazyfree-lazy-user-del", redis:) == "yes"
|
|
12
|
+
doc = SaferRedis::CommandDoc.new("UNLINK")
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
if doc.dangerous?
|
|
16
|
+
# Anything tagged @dangerous is… dangerous
|
|
17
|
+
raise SaferRedis::Danger.new(doc)
|
|
18
|
+
|
|
19
|
+
elsif doc.slow? && doc.complexity != "O(1)"
|
|
20
|
+
# Anything tagged @slow might be dangerous, but we'll let through O(1)
|
|
21
|
+
# complexity commands e.g. SET
|
|
22
|
+
raise SaferRedis::Danger.new(doc)
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def self.config_get(option, redis:)
|
|
27
|
+
SaferRedis.really { redis.config(:get, option)[option] }
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
data/lib/safer_redis/danger.rb
CHANGED
|
@@ -15,6 +15,13 @@ module SaferRedis
|
|
|
15
15
|
If you're sure this is okay, you can try again within `SaferRedis.really { ... }`
|
|
16
16
|
MESSAGE
|
|
17
17
|
|
|
18
|
+
if doc.suggestion
|
|
19
|
+
message = <<~MESSAGE
|
|
20
|
+
#{message}
|
|
21
|
+
Suggestion: #{doc.suggestion.description}
|
|
22
|
+
MESSAGE
|
|
23
|
+
end
|
|
24
|
+
|
|
18
25
|
super(message)
|
|
19
26
|
end
|
|
20
27
|
end
|
|
@@ -4,7 +4,10 @@ module SaferRedis
|
|
|
4
4
|
module Interceptor
|
|
5
5
|
def send_command(command, &block)
|
|
6
6
|
if SaferRedis.active?
|
|
7
|
-
SaferRedis.assess!(
|
|
7
|
+
SaferRedis::Assessor.assess!(
|
|
8
|
+
SaferRedis::CommandDoc.from_command_array(command),
|
|
9
|
+
redis: self,
|
|
10
|
+
)
|
|
8
11
|
end
|
|
9
12
|
|
|
10
13
|
super
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module SaferRedis
|
|
4
|
+
class Suggestion
|
|
5
|
+
attr_reader :command, :description
|
|
6
|
+
|
|
7
|
+
def initialize(command, description)
|
|
8
|
+
@command = command
|
|
9
|
+
@description = description
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def self.for_command(command)
|
|
13
|
+
case command
|
|
14
|
+
when "DEL"
|
|
15
|
+
new(command, <<~END)
|
|
16
|
+
Consider using the non-blocking UNLINK command instead to delete the key on a \
|
|
17
|
+
background thread, or set the lazyfree-lazy-user-del server option
|
|
18
|
+
END
|
|
19
|
+
else
|
|
20
|
+
nil
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
data/lib/safer_redis/version.rb
CHANGED
data/lib/safer_redis.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: safer_redis
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Paul Annesley
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-11-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: redis
|
|
@@ -56,11 +56,12 @@ files:
|
|
|
56
56
|
- Rakefile
|
|
57
57
|
- data/redis-doc/commands.json
|
|
58
58
|
- lib/safer_redis.rb
|
|
59
|
+
- lib/safer_redis/assessor.rb
|
|
59
60
|
- lib/safer_redis/command_doc.rb
|
|
60
61
|
- lib/safer_redis/danger.rb
|
|
61
62
|
- lib/safer_redis/interceptor.rb
|
|
63
|
+
- lib/safer_redis/suggestion.rb
|
|
62
64
|
- lib/safer_redis/version.rb
|
|
63
|
-
- safer_redis.gemspec
|
|
64
65
|
- sig/safer_redis.rbs
|
|
65
66
|
homepage: https://github.com/buildkite/safer_redis
|
|
66
67
|
licenses:
|
|
@@ -77,14 +78,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
77
78
|
requirements:
|
|
78
79
|
- - ">="
|
|
79
80
|
- !ruby/object:Gem::Version
|
|
80
|
-
version: 2.
|
|
81
|
+
version: 3.2.0
|
|
81
82
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
82
83
|
requirements:
|
|
83
84
|
- - ">="
|
|
84
85
|
- !ruby/object:Gem::Version
|
|
85
86
|
version: '0'
|
|
86
87
|
requirements: []
|
|
87
|
-
rubygems_version: 3.
|
|
88
|
+
rubygems_version: 3.4.22
|
|
88
89
|
signing_key:
|
|
89
90
|
specification_version: 4
|
|
90
91
|
summary: Catch unsafe Redis commands in production
|
data/safer_redis.gemspec
DELETED
|
@@ -1,35 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require_relative "lib/safer_redis/version"
|
|
4
|
-
|
|
5
|
-
Gem::Specification.new do |spec|
|
|
6
|
-
spec.name = "safer_redis"
|
|
7
|
-
spec.version = SaferRedis::VERSION
|
|
8
|
-
spec.authors = ["Paul Annesley"]
|
|
9
|
-
spec.email = ["paul@annesley.cc"]
|
|
10
|
-
|
|
11
|
-
spec.summary = "Catch unsafe Redis commands in production"
|
|
12
|
-
spec.description = "SaferRedis warns you before letting through commands that could impact production availability by being marked `@slow` or `@dangerous` in the Redis documentation"
|
|
13
|
-
spec.homepage = "https://github.com/buildkite/safer_redis"
|
|
14
|
-
spec.license = "MIT"
|
|
15
|
-
spec.required_ruby_version = ">= 2.6.0"
|
|
16
|
-
|
|
17
|
-
spec.metadata["homepage_uri"] = spec.homepage
|
|
18
|
-
spec.metadata["source_code_uri"] = "https://github.com/buildkite/safer_redis"
|
|
19
|
-
spec.metadata["changelog_uri"] = "https://github.com/buildkite/safer_redis/blob/main/CHANGELOG.md"
|
|
20
|
-
|
|
21
|
-
# Specify which files should be added to the gem when it is released.
|
|
22
|
-
# The `git ls-files -z` loads the files in the RubyGem that have been added into git.
|
|
23
|
-
spec.files = Dir.chdir(__dir__) do
|
|
24
|
-
`git ls-files -z`.split("\x0").reject do |f|
|
|
25
|
-
(f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
|
|
26
|
-
end
|
|
27
|
-
end
|
|
28
|
-
spec.require_paths = ["lib"]
|
|
29
|
-
|
|
30
|
-
# The only strategy implemented so far is intercepting the private Redis#send_command method,
|
|
31
|
-
# which was introduced in v4.6.0 via https://github.com/redis/redis-rb/pull/1058 and remains
|
|
32
|
-
# in the latest release (v5.0.5) at time of writing.
|
|
33
|
-
spec.add_dependency "redis", ">= 4.6.0"
|
|
34
|
-
spec.add_dependency "zeitwerk"
|
|
35
|
-
end
|