fix(status): prevent panic on invalid base64 in grpc-status-details-bin#2618
fix(status): prevent panic on invalid base64 in grpc-status-details-bin#2618sauravzg wants to merge 1 commit into
Conversation
sauravzg
force-pushed
the
sauravz/status-panic
branch
from
67250d1 to
cd49dc4
Compare
sauravzg
force-pushed
the
sauravz/status-panic
branch
from
cd49dc4 to
956a170
Compare
| let (code, message, details) = match (error_message, details_result) { | ||
| (Ok(msg), Ok(det)) => (code, msg, det), | ||
| (Err(e), _) => { | ||
| let error_message = format!("Error deserializing status message header: {e}"); |
There was a problem hiding this comment.
Note that Go doesn't consider it an error that changes the status code in this case. I'm not sure about Java/C++/the spec.
There was a problem hiding this comment.
For now, I've decided to keep things consistent with how tonic handles it after some discussion with arjan on it i.e. "unknown error" which is what tonic does for incorrect error message.
I'll loop lucio in to the review and get his opinion here, keeping the comment open.
There was a problem hiding this comment.
Ah okay I see I think its fine to keep the prev status code I don't think anyone is depending on this behavior and I think this is prob just an impl gap. So happy to have this align with what other grpc crates do.
There was a problem hiding this comment.
So, it seems that this may not be consistent across languages.
- Go : https://github.com/grpc/grpc-go/blob/1c63fa5f5492fb6cb4cabf9847999ce469505f49/internal/status/status.go#L54-L58 - Seems to just ignore the errors here
- Java: https://github.com/grpc/grpc-java/blob/0248e6f75605ac5007fa71c2a62e4f325a61d32d/protobuf-lite/src/main/java/io/grpc/protobuf/lite/ProtoLiteUtils.java#L271-L278 , https://github.com/grpc/grpc-java/blob/0248e6f75605ac5007fa71c2a62e4f325a61d32d/protobuf/src/main/java/io/grpc/protobuf/StatusProto.java#L180 indicate that it just gets bubbled up to application as runtime exception.
- C++ : This was more difficult to find so I asked gemini, which seems to think it ends up returning internal error.
Anyways, given the lack of consistency of error handling , personally lean towards keeping the same behavior as "grpc message" for tonic , but I don't mind changing it to something else. @dfawley LMK what you'd like here.
There was a problem hiding this comment.
Sure, keeping the tonic behavior for now is fine, but we should figure out the "right" behavior, too. I think C++ (or gemini's version of c++) is most likely what we want, but I'm not sure.
There was a problem hiding this comment.
Looking at the places in Go that you pointed to, I think we're talking about different things.
This error is about failing to percent-decode the grpc-message header, whereas you seem to be looking at the grpc-status-details-bin proto.
In Go we just do our best to percent-decode, ignoring any errors while emitting, e.g. %yq comes out verbatim if the header contains %yq, since it's a not valid percent-encoding. Or %%2F would emit %/. And we leave the error code the same. It looks like tonic will convert the error into Unknown and modify the strong to include the prefix of percent-decoding failing. The code in Go for this is here:
There was a problem hiding this comment.
The code in go that you linked to talks about grpc-message field. For this PR I am mostly concerned with "if we don't crash on invalid b64 for status details, what's the behavior that we'd like" .
It looks like tonic will convert the error into Unknown and modify the strong to include the prefix of percent-decoding failing.
Doesn't tonic simply return the utf error from decode with a new message?
There was a problem hiding this comment.
The code in go that you linked to talks about grpc-message field. For this PR I am mostly concerned with "if we don't crash on invalid b64 for status details, what's the behavior that we'd like" .
I get that, but this comment is on the part of the code where Tonic is changing the status code when the grpc-message header fails to parse. I believe that behavior is incorrect. It should keep the status code the same instead of converting it to UNKNOWN. I'll try to confirm with the other languages today.
sauravzg
force-pushed
the
sauravz/status-panic
branch
from
956a170 to
afeeea3
Compare
Instead of panicking with `.expect()` when base64 decoding of the `grpc-status-details-bin` header fails, fall back to setting the status code to `Unknown` and include the decoding error in the message. This is consistent with how Tonic handles failures to decode the `grpc-message` header. Added a unit test `details_invalid_base64` to verify this behavior.
sauravzg
force-pushed
the
sauravz/status-panic
branch
from
afeeea3 to
80d0094
Compare
| (Code::Unknown, error_message) | ||
| (Code::Unknown, error_message, Bytes::new()) | ||
| } | ||
| (Ok(_msg), Err(e)) => { |
There was a problem hiding this comment.
do we want to do anything with the message instead of throwing it away?
There was a problem hiding this comment.
So, that's probably a behavior we should define. Unfortunately, that's not consistently defined in grpc as one of the other comment discusses.
- This approach treats invalid status details as a header and returns a completely different error unrelated to the RPC error. (This might be similar to what gemini thinks c++ behavior is)
- The other approach would be to do something similar to go, where this is treated as a silent failure and we simply return original code and message.
I wouldn't want to change the error code but reuse the original error message.
There was a problem hiding this comment.
Ultimately I don't think we want to be doing anything with grpc-status-details-bin at this low of a level. That requires a protobuf dependency to parse it. The generated code should deal with this trailer somehow instead.
https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md#appendix-a---grpc-for-protobuf
(This clause only requires the use of a google.rpc.Status proto message in this header when you are using protobuf with gRPC. gRPC can transmit messages of any type.)
There was a problem hiding this comment.
I don't think there's a protobuf dep here in tonic, tonic simply returns the serialized bin.
There was a problem hiding this comment.
I don't think there's a protobuf dep here in tonic, tonic simply returns the serialized bin.
OK that's good.. So this is just a base64 decoding error on the grpc-status-details-bin header. I don't think we want to treat this any differently than decoding any other -bin header, ideally. In Go at least, any -bin header decoding error leads to Internal + "malformed header : ":
https://github.com/grpc/grpc-go/blob/609310837bbc7fab1553fa53f2d1312bd7d85275/internal/transport/http2_client.go#L1522-L1527
and
https://github.com/grpc/grpc-go/blob/609310837bbc7fab1553fa53f2d1312bd7d85275/internal/transport/http2_client.go#L1582-L1585
I guess in Tonic the other decoding happens only when the application accesses it from the metadata? But this one happens specially in the transport? If that's true there's probably not much more we can do here. I think the behavior for this header roughly matches Go's behavior (though we call it INTERNAL -- https://github.com/grpc/grpc/blob/master/doc/statuscodes.md doesn't specify -- "could not decompress" is INTERNAL, which seems closest?). But I don't think this exact status code is too important for now considering it isn't well defined. So I'd be fine with leaving it alone.
4 participants
Instead of panicking with
.expect()when base64 decoding of thegrpc-status-details-binheader fails, fall back to setting the status code toUnknownand include the decoding error in the message. This is consistent with how Tonic handles failures to decode thegrpc-messageheader.Added a unit test
details_invalid_base64to verify this behavior.** I am not entirely sure if this panic was an intentional choide or this change counts as a breaking change, but I'd assume that not panicking would be considered good behavior**