Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: disable grpc reflection configuration #3550

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: disable grpc reflection configuration #3550

wants to merge 1 commit into from
+29 −18

Conversation

BandlSkyler
Copy link

Description (what this PR does / why we need it):

For security reasons, grpc reflection should not be registered directly by default

@dosubot dosubot bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Feb 12, 2025
@BandlSkyler BandlSkyler force-pushed the reflection-register-refactor branch from d186ea6 to 3cf50f7 Compare February 12, 2025 02:46
@shenqidebaozi
Copy link
Member

This change should not be made as it affects forward compatibility. It should be registered by default and optional not to register

@BandlSkyler
Copy link
Author

BandlSkyler commented Feb 13, 2025
edited
Loading

This change should not be made as it affects forward compatibility. It should be registered by default and optional not to register

I see, but we should also ensure that users are not unknowingly enabling this feature and potentially exposing themselves to security risks without their consent.
Maybe we could address this situation within the code comments.

@BandlSkyler BandlSkyler force-pushed the reflection-register-refactor branch from 3cf50f7 to 7995a04 Compare February 13, 2025 07:48
shenqidebaozi
shenqidebaozi reviewed Feb 13, 2025
View reviewed changes
transport/grpc/server.go Outdated
@@ -113,6 +113,13 @@ func StreamInterceptor(in ...grpc.StreamServerInterceptor) ServerOption {
}
}

// DisuseReflection disuse reflection.
func DisuseReflection(enable bool) ServerOption {
Copy link
Member

@shenqidebaozi shenqidebaozi Feb 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we still need to pass the enable parameter when the method is called Disuse Also, usually disable is used

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, it's my mistake

shenqidebaozi
shenqidebaozi reviewed Feb 13, 2025
View reviewed changes
transport/grpc/server.go Outdated
}

// NewServer creates a gRPC server by options.
// By default, it will register gRPC reflection and gRPC admin.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This annotation should not be added here

Copy link
Author

@BandlSkyler BandlSkyler Feb 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure where to add annotations properly, please guide me.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be placed on the newly added method or in the document

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should add an annotation in kratos-layout about that grpc admin and grpc reflection are registered.

@BandlSkyler BandlSkyler force-pushed the reflection-register-refactor branch from 7995a04 to 84eb06b Compare February 13, 2025 10:13
shenqidebaozi
shenqidebaozi reviewed Feb 13, 2025
View reviewed changes
transport/grpc/server.go Outdated
@@ -113,6 +113,13 @@ func StreamInterceptor(in ...grpc.StreamServerInterceptor) ServerOption {
}
}

// DisuseReflection disuse reflection.
func DisuseReflection() ServerOption {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usually use Disable

@shenqidebaozi shenqidebaozi changed the title refactor: enable grpc reflection configuration feat: disable enable grpc reflection configuration Feb 13, 2025
@shenqidebaozi shenqidebaozi changed the title feat: disable enable grpc reflection configuration feat: disable grpc reflection configuration Feb 13, 2025
@BandlSkyler BandlSkyler force-pushed the reflection-register-refactor branch from 84eb06b to b4fed5e Compare February 14, 2025 03:05
@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:S This PR changes 10-29 lines, ignoring generated files. labels Feb 14, 2025
@BandlSkyler BandlSkyler force-pushed the reflection-register-refactor branch from b4fed5e to 90a5088 Compare February 14, 2025 03:09
@BandlSkyler BandlSkyler force-pushed the reflection-register-refactor branch from 90a5088 to 77ff1c1 Compare February 14, 2025 03:10
@dosubot dosubot bot added the LGTM label Feb 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shenqidebaozi shenqidebaozi shenqidebaozi approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
LGTM size:M This PR changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@BandlSkyler @shenqidebaozi