The existing behavior you describe is correct. The spec ( https://developers.google.com/protocol-buffers/docs/encoding#optional) says "For numeric types and strings, if the same field appears multiple times, the parser accepts the *last* value it sees. For embedded message fields, the parser merges multiple instances of the same field, as if with the Message::MergeFrom method – that is, all singular scalar fields in the latter instance replace those in the former, singular embedded messages are merged, and repeated fields are concatenated." A parser that uses the first value instead is behaving in violation of the specification.
On Wed, Sep 9, 2020 at 3:58 AM Gal Goldshtein <[email protected]> wrote: > I sent the following email message to [email protected] > about a month ago and received no response so trying my luck here: > > Hi, > > > We wanted to report that gRPC current behavior may lead to an attack > similar to “parameter pollution”. > > > > When sending a request to a gRPC endpoint and repeating the same field > index with the same wire type but different values, the gRPC implementation > will pass to the application endpoint only the last occurrence. > > This behavior may lead to a situation in which proxies or WAFs which tries > to make decisions according to the field value may be fooled if their > protobuf parser will process the first occurrence of the field instead of > the last one. > > > > In our view the expected behavior should be denying protobuf messages > containing repeated instances of the same field when the field was not > explicitly set with the “repeated” keyword in the proto file. > > > > Attaching the proto file we used and the message we sent. > > > > Thanks, > > Gal > > -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/grpc-io/5765a926-cad8-45df-92eb-84a54ef9b7e1n%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/5765a926-cad8-45df-92eb-84a54ef9b7e1n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CAPK2-4fncjAHZ8Y%3D3K%3DQOXqQaj3z7z0g3Eg%3DhuwynTOzE94i4w%40mail.gmail.com.
smime.p7s
Description: S/MIME Cryptographic Signature
