You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is no equivalent validation performed when deserializing, so I believe we could get an API request with a Generation in the range (i64::MAX, u64::MAX] and bypass the checks. I strongly suspect this doesn't really matter in practice today; Generation only appears in internal APIs, and we have no way for well-behaved clients to construct a Generation in that range to send. But it's still technically wrong and could lead to weird issues if we somehow did have a client pass a bad value, hence this issue.
The text was updated successfully, but these errors were encountered:
Generation
currently has a derivedDeserialize
impl:omicron/common/src/api/external/mod.rs
Lines 728 to 745 in 6fb91c6
However, it has a note that the values should fit in an
i64
, and we validate that innext()
:omicron/common/src/api/external/mod.rs
Line 769 in 6fb91c6
There is no equivalent validation performed when deserializing, so I believe we could get an API request with a Generation in the range
(i64::MAX, u64::MAX]
and bypass the checks. I strongly suspect this doesn't really matter in practice today;Generation
only appears in internal APIs, and we have no way for well-behaved clients to construct aGeneration
in that range to send. But it's still technically wrong and could lead to weird issues if we somehow did have a client pass a bad value, hence this issue.The text was updated successfully, but these errors were encountered: