[DATAREDIS-791] ReactiveHashCommands.hMSet calls HSETNX if map contains a single tuple Created: 21/Mar/18  Updated: 04/Apr/18  Resolved: 03/Apr/18

Status: Closed
Project: Spring Data Redis
Component/s: Core
Affects Version/s: 2.0.5 (Kay SR5)
Fix Version/s: 2.1 M2 (Lovelace), 2.0.6 (Kay SR6)

Type: Bug Priority: Critical
Reporter: magd Assignee: Mark Paluch
Resolution: Fixed Votes: 0
Labels: Spring-Security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Last updater: Mark Paluch
Pull Request URL: https://github.com/spring-projects/spring-data-redis/pull/325
Sprint: Lovelace M2 / M3


In ReactiveHashCommands#hMSet, I believe the method should not execute an ifValueNotExists()? By removing that, it should be OK I believe.

A method hMSetNX could be created too, if relevant.

I came to this conclusion after checking in Spring Boot 2, Spring Security component was not logging out correctly when using Spring Data Redis as the backend for the session. The problem was basically it's using this method to remove the SPRING_SECURITY_CONTEXT information, but as it's doing an HSETNX internally, it's not really updating the session information (as that key already exists). So basically, a user is never really logged out, even though it seems like it is.

If that's the case and I'm not mistaken, it's obviously an important security issue when using Redis as the session backend.

I'd be happy to provide a PR on GitHub if you think I'm right about this.

Comment by Mark Paluch [ 22/Mar/18 ]

Good catch. The bug becomes visible only if hMset is called with a map that contains a single entry. I'm already on a fix.

Comment by magd [ 22/Mar/18 ]

Thanks Mark. Once the fix is applied, are you going to let the Spring Security team know about this, or shall I open an issue myself on that project? They should upgrade the dependency as soon as possible, I assume.

Thank you.

Comment by Mark Paluch [ 22/Mar/18 ]

I'll talk to the Spring Security folks. In which bit of Spring Security does that happen (Spring Security Core, OAuth, Spring Session, …)?

Comment by magd [ 22/Mar/18 ]

I think it's a chain. Spring Session with Redis driver should update the version.

But then, I assume for projects like Spring Boot, there should be a full update to make it happen (Spring Boot should update version of Spring Security, and Spring Security should update version of Spring Session?).


Comment by Mark Paluch [ 22/Mar/18 ]

That's not an answer to the question which Spring Security component invokes hMSet.

When you're using Spring Boot, then you'll get the upgrade anyways with Spring Boot 2.0.1, see https://spring-calendar.cfapps.io/.

Comment by magd [ 22/Mar/18 ]

Sorry about that. It's Spring Session. ReactiveRedisOperationsSessionRepository::saveDelta (private) uses DefaultReactiveHashOperations::putAll, which in turn uses the method we're discussing.

Comment by Mark Paluch [ 22/Mar/18 ]

Thanks a lot!

Generated at Sat Jul 11 04:41:47 UTC 2020 using Jira 8.5.4#805004-sha1:0444eab799707f9ad7b248d69f858774aadfd250.