Redact protocol error log when hide-user-data-from-log enabled (valkey-io#1889)

In this code logic:
https://github.com/valkey-io/valkey/blob/unstable/src/networking.c#L2767-L2773,
`c->querybuf + c->qb_pos` may also include user data.
Update the log message when config `hide-user-data-from-log` is enabled.

---------

Signed-off-by: VanessaTang <yuetan@amazon.com>
Signed-off-by: Ran Shidlansik <ranshid@amazon.com>
Co-authored-by: Ran Shidlansik <ranshid@amazon.com>

Author: 2 people

src/expire.c

@@ -37,6 +37,69 @@
 
 #include "server.h"
 
+
+#define EVPOOL_SIZE 20
+#define EVPOOL_CACHED_SDS_SIZE 255
+struct expirePoolEntry {
+    long long expiretime; /* Absolute expiration time */
+    robj *entry;          /* The entry with expire time */
+};
+
+static struct expirePoolEntry **ExpirePools;
+
+/* Create an array of expire pools, one for each database.
+ * This allows us to separately track expiration candidates for each DB. */
+static struct expirePoolEntry **ExpirePools;
+
+void expirePoolAlloc(void) {
+    int dbnum = server.dbnum;
+
+    ExpirePools = zmalloc(sizeof(struct expirePoolEntry *) * dbnum);
+
+    for (int i = 0; i < dbnum; i++) {
+        ExpirePools[i] = zmalloc(sizeof(struct expirePoolEntry) * EVPOOL_SIZE);
+        for (int j = 0; j < EVPOOL_SIZE; j++) {
+            ExpirePools[i][j].expiretime = 0;
+            ExpirePools[i][j].entry = NULL;
+        }
+    }
+}
+
+void expirePoolPopulate(serverDb *db, robj *val, long long expiretime) {
+    struct expirePoolEntry *pool = ExpirePools[db->id];
+    int k;
+
+    k = 0;
+    while (k < EVPOOL_SIZE && pool[k].entry && pool[k].expiretime < expiretime) k++;
+
+    /* If we can't insert (all slots filled with sooner-to-expire entries), return */
+    if (k == 0 && pool[EVPOOL_SIZE - 1].entry != NULL) {
+        return;
+    } else if (k < EVPOOL_SIZE && pool[k].entry == NULL) {
+        /* Inserting into empty position. No setup needed before insert. */
+    } else {
+        /* Inserting in the middle. Now k points to the first element
+         * with expire time greater than the element to insert. */
+        if (pool[EVPOOL_SIZE - 1].entry == NULL) {
+            /* Free space on the right? Insert at k shifting
+             * all the elements from k to end to the right. */
+            memmove(pool + k + 1, pool + k, sizeof(pool[0]) * (EVPOOL_SIZE - k - 1));
+        } else {
+            /* No free space on right? Insert at k-1 */
+            k--;
+            /* Shift all elements on the left of k (included) to the
+             * left, so we discard the element with smallest expire time. */
+            if (pool[0].entry) decrRefCount(pool[0].entry);
+            memmove(pool, pool + 1, sizeof(pool[0]) * k);
+        }
+    }
+
+    /* Store the entry and increment its refcount */
+    pool[k].entry = val;
+    incrRefCount(val);
+    pool[k].expiretime = expiretime;
+}
+
 /*-----------------------------------------------------------------------------
  * Incremental collection of expired keys.
  *
@@ -135,7 +198,8 @@ typedef struct {
 void expireScanCallback(void *privdata, void *entry) {
     robj *val = entry;
     expireScanData *data = privdata;
-    long long ttl = objectGetExpire(val) - data->now;
+    long long expiretime = objectGetExpire(val);
+    long long ttl = expiretime - data->now;
     if (activeExpireCycleTryExpire(data->db, val, data->now)) {
         data->expired++;
         /* Propagate the DEL command */
@@ -145,6 +209,9 @@ void expireScanCallback(void *privdata, void *entry) {
         /* We want the average TTL of keys yet not expired. */
         data->ttl_sum += ttl;
         data->ttl_samples++;
+
+        /* Try to add this entry to the expiration pool for future expiration */
+        expirePoolPopulate(data->db, val, expiretime);
     }
     data->sampled++;
 }
@@ -252,6 +319,39 @@ void activeExpireCycle(int type) {
 
         if (kvstoreSize(db->expires)) dbs_performed++;
 
+        /* First, try to expire keys from the expire pool */
+        struct expirePoolEntry *pool = ExpirePools[db->id];
+        long long now = mstime();
+        int expired_from_pool = 0;
+
+        /* Traverse from back to front, stop when we find a non-expired key */
+        for (int i = EVPOOL_SIZE - 1; i >= 0; i--) {
+            if (pool[i].entry == NULL) continue;
+            if (pool[i].expiretime <= now) {
+                /* Key is expired, try to expire it */
+                if (activeExpireCycleTryExpire(db, pool[i].entry, now)) {
+                    expired_from_pool++;
+                    /* Propagate the DEL command */
+                    postExecutionUnitOperations();
+                }
+
+                /* Clean up the pool entry */
+                decrRefCount(pool[i].entry);
+                pool[i].entry = NULL;
+                pool[i].expiretime = 0;
+            } else {
+                /* Since we're traversing from back to front and keys are sorted by expire time,
+                 * if we find a non-expired key, all keys before it are also not expired */
+                break;
+            }
+        }
+
+        /* If we found expired keys in the pool, update stats */
+        if (expired_from_pool > 0) {
+            total_expired += expired_from_pool;
+            total_sampled += expired_from_pool;
+        }
+
         /* Continue to expire if at the end of the cycle there are still
          * a big percentage of keys to expire, compared to the number of keys
          * we scanned. The percentage, stored in config_cycle_acceptable_stale

src/networking.c

@@ -2764,24 +2764,27 @@ static void setProtocolError(const char *errstr, client *c) {
         /* Sample some protocol to given an idea about what was inside. */
         char buf[256];
         buf[0] = '\0';
-        if (c->querybuf && sdslen(c->querybuf) - c->qb_pos < PROTO_DUMP_LEN) {
-            snprintf(buf, sizeof(buf), "Query buffer during protocol error: '%s'", c->querybuf + c->qb_pos);
-        } else if (c->querybuf) {
-            snprintf(buf, sizeof(buf), "Query buffer during protocol error: '%.*s' (... more %zu bytes ...) '%.*s'",
-                     PROTO_DUMP_LEN / 2, c->querybuf + c->qb_pos, sdslen(c->querybuf) - c->qb_pos - PROTO_DUMP_LEN,
-                     PROTO_DUMP_LEN / 2, c->querybuf + sdslen(c->querybuf) - PROTO_DUMP_LEN / 2);
-        }
+        if (server.hide_user_data_from_log) {
+            snprintf(buf, sizeof(buf), "*redacted*");
+        } else {
+            if (c->querybuf && sdslen(c->querybuf) - c->qb_pos < PROTO_DUMP_LEN) {
+                snprintf(buf, sizeof(buf), "'%s'", c->querybuf + c->qb_pos);
+            } else if (c->querybuf) {
+                snprintf(buf, sizeof(buf), "'%.*s' (... more %zu bytes ...) '%.*s'",
+                         PROTO_DUMP_LEN / 2, c->querybuf + c->qb_pos, sdslen(c->querybuf) - c->qb_pos - PROTO_DUMP_LEN,
+                         PROTO_DUMP_LEN / 2, c->querybuf + sdslen(c->querybuf) - PROTO_DUMP_LEN / 2);
+            }
 
-        /* Remove non printable chars. */
-        char *p = buf;
-        while (*p != '\0') {
-            if (!isprint(*p)) *p = '.';
-            p++;
+            /* Remove non printable chars. */
+            char *p = buf;
+            while (*p != '\0') {
+                if (!isprint(*p)) *p = '.';
+                p++;
+            }
         }
-
         /* Log all the client and protocol info. */
         int loglevel = (c->flag.primary) ? LL_WARNING : LL_VERBOSE;
-        serverLog(loglevel, "Protocol error (%s) from client: %s. %s", errstr, client, buf);
+        serverLog(loglevel, "Protocol error (%s) from client: %s. Query buffer: %s", errstr, client, buf);
         sdsfree(client);
     }
     c->flag.close_after_reply = 1;

src/server.c

@@ -2844,6 +2844,7 @@ void initServer(void) {
         server.db[j].avg_ttl = 0;
     }
     evictionPoolAlloc(); /* Initialize the LRU keys pool. */
+    expirePoolAlloc();   /* Initialize the expire pools. */
     /* Note that server.pubsub_channels was chosen to be a kvstore (with only one dict, which
      * seems odd) just to make the code cleaner by making it be the same type as server.pubsubshard_channels
      * (which has to be kvstore), see pubsubtype.serverPubSubChannels */

src/server.h

@@ -3555,6 +3555,8 @@ void handleBlockedClientsTimeout(void);
 int clientsCronHandleTimeout(client *c, mstime_t now_ms);
 
 /* expire.c -- Handling of expired keys */
+void expirePoolAlloc(void);
+void expirePoolPopulate(serverDb *db, robj *val, long long expiretime);
 void activeExpireCycle(int type);
 void expireReplicaKeys(void);
 void rememberReplicaKeyWithExpire(serverDb *db, robj *key);

tests/integration/logging.tcl

@@ -109,6 +109,27 @@ if {!$::valgrind} {
             assert_equal "PONG" [r ping]
         }
     }
+
+    # test hide-user-data-from-log
+    set server_path [tmpdir server5.log]
+    start_server [list overrides [list dir $server_path crash-memcheck-enabled no hide-user-data-from-log no]] {
+        test "Config hide-user-data-from-log is off" {
+            r write "*3\r\n\$3\r\nSET\r\n\$1\r\nx\r\n\$blabla\r\n"
+            r flush
+            catch {r debug segfault}
+            wait_for_log_messages 0 {"*Query buffer: *\$blabla*"} 0 10 1000
+        }
+    }
+
+    set server_path [tmpdir server6.log]
+    start_server [list overrides [list dir $server_path crash-memcheck-enabled no hide-user-data-from-log yes]] {
+        test "Config hide-user-data-from-log is on" {
+            r write "*3\r\n\$3\r\nSET\r\n\$1\r\nx\r\n\$blabla\r\n"
+            r flush
+            catch {r debug segfault}
+            wait_for_log_messages 0 {"*Query buffer: *redacted*"} 0 10 1000
+        }
+    }
 }
 
 # test DEBUG ASSERT