Nice writeup, it's fair in the content presented to us.
Yet I'm wondering why there is no checking if the response does actually belong to the issued query.
The client issuing a query can pass a token and verify upon answer that this answer contains the token.
TBH as a user of the client I would kind of expect the library to have this feature built-in, and if I'm starting to use the library to solve a problem, handling this edge-case would be of a somewhat low priority to me if the library wouldn't implement it, probably because I'm lazy.
I hope that the fix they offered to Redis Labs does contain a solution to this problem and that everyone of us using this library will be able to profit from the effort put into resolving the issue.
It doesn't [0], so the burden is still on the developer using the library.
Edit: Now I'm confused, this issue [1] was raised on March 17 and fixed on March 22, was this a regression? Or did OpenAI start using this library on March 19-20?
Interesing comment:
> drago-balto commented 3 hours ago
> Yep, that's the one, and the #2641 has not fixed it fully, as I already commented here: #2641 (comment)
> I am asking for this ticket to be re-oped, since I can still reproduce the problem in the latest 4.5.3. version
That sounds more like a hindsight thing. In most systems authorization doesn't happen at the storage layer. Most queries fetch data by an identifier which is only assumed to be valid based on authorization that typically happens at the edge and then everything below relies on that result.
It's not the safest design but I wouldn't say the client should be expected to implement it. That security concern is at the application layer and the actual needs of the implementation can be wildly different depending on the application. You can imagine use cases for redis where this isn't even relevant, like if it's being used to store price data for stocks that update every 30 seconds. There's no private data involved there. It's out of scope for a storage client to implement.
Yet I'm wondering why there is no checking if the response does actually belong to the issued query.
The client issuing a query can pass a token and verify upon answer that this answer contains the token.
TBH as a user of the client I would kind of expect the library to have this feature built-in, and if I'm starting to use the library to solve a problem, handling this edge-case would be of a somewhat low priority to me if the library wouldn't implement it, probably because I'm lazy.
I hope that the fix they offered to Redis Labs does contain a solution to this problem and that everyone of us using this library will be able to profit from the effort put into resolving the issue.
It doesn't [0], so the burden is still on the developer using the library.
[0] https://github.com/redis/redis-py/commit/66a4d6b2a493dd3a20c...
---
Edit: Now I'm confused, this issue [1] was raised on March 17 and fixed on March 22, was this a regression? Or did OpenAI start using this library on March 19-20?
Interesing comment:
> drago-balto commented 3 hours ago
> Yep, that's the one, and the #2641 has not fixed it fully, as I already commented here: #2641 (comment)
> I am asking for this ticket to be re-oped, since I can still reproduce the problem in the latest 4.5.3. version
[1] https://github.com/redis/redis-py/issues/2624#issue-16293351...