Mark connections broken on protocol I/O failures#4549
Conversation
|
Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset. In case there are security findings, they will be communicated to you as a comment inside the PR. Hope you’ll enjoy using Jit. Questions? Comments? Want to learn more? Get in touch with us. |
|
Thanks for the PR — the team will take a look as soon as we have free cycles. In the meantime, to get the formatting checks passing, please add the new files to the formatter config in pom.xml and run mvn format over them. That should resolve the current CI failures. |
|
Thanks for the guidance. I added the new test file to the formatter config, ran the formatter, and pushed the fix in 724d5ee. I also verified locally with:
The GitHub Actions workflows on the latest commit currently show as action_required, so I’m waiting for them to be approved/rerun. |
|
@lh0156 |
There was a problem hiding this comment.
Pull request overview
This PR hardens redis.clients.jedis.Connection error handling so that protocol I/O failures (write/flush/read/push paths) reliably mark a connection as broken, preventing pooled connections with potentially contaminated RESP state from being reused (fixes #4278).
Changes:
- Update
Connectionto mark broken on protocol send/flush/read/push failures (notablyJedisConnectionExceptionandError) and to reject reads/writes once broken. - Preserve the existing “read Redis error line if possible” diagnostic when
sendCommandfails, while ensuring the connection is already marked broken first. - Add comprehensive unit coverage for serialization/write failures, protocol read failures, push read failures, and pool invalidation behavior; register the test in the formatter plugin includes.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/main/java/redis/clients/jedis/Connection.java | Marks connections broken on key protocol failure paths and adds broken-state guards. |
| src/test/java/redis/clients/jedis/ConnectionErrorHandlingTest.java | Adds focused tests covering broken-state behavior across send/flush/read/push and pool invalidation scenarios. |
| pom.xml | Registers the new test file in the formatter plugin includes list. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| public void sendCommand(final CommandArguments args) { | ||
| connect(); | ||
| try { | ||
| connect(); | ||
| Protocol.sendCommand(outputStream, args); |
There was a problem hiding this comment.
Addressed in 16f174b by adding the broken-write guard after connect() and before Protocol.sendCommand(...), so reconnect can still clear the broken state. I also added focused coverage for direct sendCommand rejection, no bytes written, no argument serialization/diagnostic read, reconnect preservation, and pooled invalidation on close.
atakavci
left a comment
atakavci
left a comment
There was a problem hiding this comment.
i suggest to investigate if connect outside of tyry-block 💯 safe
| setBroken(); | ||
| throw enrichWithRedisErrorLine(ex); |
There was a problem hiding this comment.
nit:
| setBroken(); | |
| throw enrichWithRedisErrorLine(ex); | |
| throw markBroken(enrichWithRedisErrorLine(ex)); |
and other uses of it same way.
| } | ||
|
|
||
| public void sendCommand(final CommandArguments args) { | ||
| connect(); |
There was a problem hiding this comment.
leaving connect outside of try-block rings the bells... Didnt investigated throguh the possible use-cases but it would leave the door open to an Error escaping from both connect and sendCommand without marking it broken.
ggivo
added
waiting-for-feedback
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Reviewed by Cursor Bugbot for commit cd826b2. Configure here.
| throw markBroken(ex); | ||
| } catch (Error err) { | ||
| throw markBroken(err); | ||
| } |
There was a problem hiding this comment.
Connect bypasses markBroken handlers
Medium Severity
In sendCommand, connect() runs outside the try that marks the connection broken on RuntimeException and Error. Unchecked failures during socket setup therefore skip markBroken when the broken flag is still false, so close() may return the connection to the pool as healthy despite a failed command attempt.
Reviewed by Cursor Bugbot for commit cd826b2. Configure here.
Fixes #4278.
Summary
Connectionbroken when protocol send/read/push paths fail withJedisConnectionExceptionorError.Motivation
If a pooled connection fails while RESP bytes are being written or read, the connection can retain partial or stale protocol state. Returning that connection to the pool as healthy can allow a later borrower to read stale data.
Redis error replies are still valid protocol responses, so
JedisDataExceptionpaths continue to leave the connection reusable.Notes
sendCommandis preserved.Testing
/Users/developseop/.m2/wrapper/dists/apache-maven-3.9.15/9925cc1d/bin/mvn -B -Dwith-param-names=true -Dtest=ConnectionErrorHandlingTest test/Users/developseop/.m2/wrapper/dists/apache-maven-3.9.15/9925cc1d/bin/mvn -B -Dwith-param-names=true -Dnet.bytebuddy.experimental=true testNote
Medium Risk
Touches core connection/pooling behavior on every command; behavior change is intentional but could alter how often pools discard connections compared to before.
Overview
Hardens
Connectionso pooled clients are not reused after partial or corrupt RESP I/O. On send, flush, read, and push paths,JedisConnectionExceptionandErrornow mark the connection broken (viamarkBroken); already-broken sockets fail fast on further writes/reads without touching the wire.sendCommandconnects first, rejects writes when broken, marks broken before the optional Redis error-line diagnostic (so enrichment cannot leave a suspect connection healthy), and still wraps write failures withenrichWithRedisErrorLine. Valid RedisJedisDataExceptionreplies and post-read builder bugs do not mark the connection broken.Adds
ConnectionErrorHandlingTest(fake sockets + single-connection pool) covering serialization/write/read/push failures, guards, and pool invalidation vs reuse on data errors. Registers that test inpom.xmlformatter includes.Reviewed by Cursor Bugbot for commit cd826b2. Bugbot is set up for automated code reviews on this repo. Configure here.