PING HelloRedis will return : HelloRedis

also i can do: PING a_long_string and it will do the work, reply the very long string.

For security reason, I would like to avoid this possibility, but however i would like to keep a totally accessible PING command from any user.

The workaround i have found is to remove PING with the ACL rules, but then... it is disabled.

So i propose to add a way to override the reponse, so that it is as short as i want (or even empty). Whatever is the parameter in the PING command, if there is one or not, it would return the response stored in redis.conf. (if it is not commented).

Maybe someone know a way to do what i want without this feature, or maybe this feature already exists?

Comment From: mgravell

What interesting security scenario does this protect you from? Any large value used with PING could be used with literally any other command - quite likely with more interesting results - either as a key or a value; especially with Lua. If a malicious client has access to the server, you already have a bad time. ACLs can help minimise the impact, but I don't see how protecting PING does much special that doesn't apply everywhere else.

Happy to be corrected, of course.

Comment From: githubfr

Hello, and thank you very much for your answer.

You are so right, and although I understand your answer, I just understood the extreme vulnerability of Redis.

I don't talk about the ping anymore, you convinced me, even if I find the functionality interesting apart from the security issue.

My project uses Redis in an IOS application, with a TLS1.2 access to the server Redis. But I understood your answer, my Redis database is publicly accessible, so nothing is secured.

The public user is a regulated user with ACL, who has as write access to: +geoadd +zadd +hset

and so, as you explained, I feel that none of this is secure. What should I do, use LUA scripts? I will try to read up on this.

Comment From: githubfr

Hello, thank you for your response,

I have seen the ECHO command, and found it does what PING do with a parameter.

PING hello hello ECHO hello hello

This is one of the reason i proposed to give to the PING command a different meaning. ECHO is an ECHO and PING is like a question for which we don't know the answer. The Redis server would know it in its .conf file.

Comment From: madolson

@githubfr Are these untrusted users executing geoadd,zadd,hset commands against Redis? There is really no way to make that type of configuration secure. You normally would buffer them in front of some type of frontend process that can do the initial processing of requests.

Comment From: githubfr

Thank you Madolson,

it will be a new challenge then! I'm going to dig into this idea. So if i understand the idea is to use another application to route and filter the requests to the Redis server. Then i can control if the commands are acceptable or not.

Comment From: mgravell

What should I do, use LUA scripts?

No, that isn't what I was saying. If you have an authorized user, Lua would be a better DOS vector. Redis is absolutely not unique here - just about every backend server ever imagined is vulnerable to authorized subsystems doing stupid and malicious things, or using oversize data, or too many operations, etc. This isn't a redis issue - it is a "don't expose your backend servers to arbitrary clients" issue.

Comment From: githubfr

Yes, i understand the concept of backend server now. I will dig into these front end process. I have seen the token verification could be a solution.

thank you for your help.

Comment From: itamarhaber

...so, can this be closed?