Thanks, somehow I missed it. On Wed, Sep 9, 2020, 9:50 PM Michael Lumish <[email protected]> wrote:
> The existing behavior you describe is correct. The spec ( > https://developers.google.com/protocol-buffers/docs/encoding#optional) > says "For numeric types and strings, if the same field appears multiple > times, the parser accepts the *last* value it sees. For embedded message > fields, the parser merges multiple instances of the same field, as if with > the Message::MergeFrom method – that is, all singular scalar fields in the > latter instance replace those in the former, singular embedded messages are > merged, and repeated fields are concatenated." A parser that uses the first > value instead is behaving in violation of the specification. > > On Wed, Sep 9, 2020 at 3:58 AM Gal Goldshtein <[email protected]> > wrote: > >> I sent the following email message to [email protected] >> about a month ago and received no response so trying my luck here: >> >> Hi, >> >> >> We wanted to report that gRPC current behavior may lead to an attack >> similar to “parameter pollution”. >> >> >> >> When sending a request to a gRPC endpoint and repeating the same field >> index with the same wire type but different values, the gRPC implementation >> will pass to the application endpoint only the last occurrence. >> >> This behavior may lead to a situation in which proxies or WAFs which >> tries to make decisions according to the field value may be fooled if their >> protobuf parser will process the first occurrence of the field instead of >> the last one. >> >> >> >> In our view the expected behavior should be denying protobuf messages >> containing repeated instances of the same field when the field was not >> explicitly set with the “repeated” keyword in the proto file. >> >> >> >> Attaching the proto file we used and the message we sent. >> >> >> >> Thanks, >> >> Gal >> >> -- >> You received this message because you are subscribed to the Google Groups >> "grpc.io" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/grpc-io/5765a926-cad8-45df-92eb-84a54ef9b7e1n%40googlegroups.com >> <https://groups.google.com/d/msgid/grpc-io/5765a926-cad8-45df-92eb-84a54ef9b7e1n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CABWZauHK7M55UN4MynBRYz5hbR8qQXtHv%3Dn7j8U7b2JCTKPTBg%40mail.gmail.com.
