Add encoding to file lock names#40330
Conversation
- Encoded lock names using rawurlencode to prevent OS errors during file creation
|
Hi @tony-montemuro. Thank you for your contribution!
Allowed build names are:
You can find more information about the builds here For more details, review the Code Contributions documentation. |
|
The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com. |
|
@magento run all tests |
|
@magento create issue |
|
The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com. |
|
@magento run all tests |
|
Your request makes sense. However, using So either we should go with a simple Just my 2 cents, looking forward to hearing from other their thoughts on this? |
|
@hostep Thank you for looking at this request. I agree that the URL encode / decode functions are not ideal for this situation. And your alternative suggestions are great; I was hoping that I would get some like this. When I first made this request, I was under the impression that the filename transformation had to be reversible, but after considering your suggestions, it seems that with a very minor refactor, this property is unnecessary. It is unfortunate that these suggestions lack a one-to-one mapping, meaning that you will occasionally have a false lock (two resources mapping to the same file), but I suppose this is preferable to certain locks failing to be acquired 100% of the time (and in practice, I imagine these collisions would be rare). My personal preference would be to break Magento\Framework\File\Uploader::getCorrectFileName out of the It would be great to get a third opinion on this issue. |
|
@magento run all tests |
|
@engcom-Hotel: before you start running tests, we should first figure out the best way forward, see the discussions above, only after we've got a good conclusion, we can implement it and only then tests should be ran in my opinion. |
|
I think it would be best to put this on hold for now while we figure out the most suitable solution. |
Description (*)
This pull request was created to address for Magento instances using the
filelock provider. If a lock name contains characters that are forbidden for file names (e.g.,/on Unix-like systems), the operating system will fail to create the lock file, leading to aFileSystemExceptionbeing thrown.There are instances where the system attempts to acquire a lock using a string that can contain these forbidden characters. An example includes:
app/code/Magento/Catalog/Plugin/ProductRepositorySaveOperationSynchronizer.php::aroundSave(). This plugin wraps calls to product saves in aProductMutex, which is implemented using a lock, and the name of that lock is determined by the product SKU. The product SKU attribute has no restriction that makes the/character forbidden.To address this limitation, I have introduced file lock name encoding. I chose
rawurlencode()for a few reasons:It is an injective algorithm, so naming collisions are impossible.
It is human readable, so users that wish to monitor the lock directory have a relatively unchanged experience.
Easy to decode using
rawurldecode().Encodes forbidden characters on Unix-like operating systems, as well as Windows.
/<>:"/\|?*%is valid for both types of systems.Implementation details
rawurlencode()withinMagento\Framework\Lock\Backend\FileLock::getLockPath().lock(),unlock(), andisLocked()methods because they all utilize the updatedgetLockPath()method.cleanupOldLocks()method was also updated to userawurldecode()before checking lock status, preventing issues where double-encoded paths would prevent detection of active locks or deletion of encoded lock files.Manual testing scenarios (*)
productsendpoint. In the request body, ensure that a/is present in theskuattribute:400.200(success).Questions or comments
I acknowledge that
rawurlencode()might not be the optimal encoding mechanism in this scenario. I would argue it is good for this scenario, but I do not claim to be an expert on methods of encoding text. If anyone has a better idea, or concerns with this encoding method, please feel free to let me know!Per the Adobe Commerce documentation, Windows is not supported, but I am not 100% sure if this applies to new versions of Magento Open Source as well. If Windows is not supported, I could potentially devise a more simple encoding scheme that just handles
/. For extra clarification, I did all development & testing on Linux.I am a bit concerned with how backwards compatible this change might be. If the deployment occurs while a long-lasting lock is active, the new code will miss the existing lock if it's encoded name is different from it's current name.
Finally, this is my first contribution to Magento Open Source. I did my best to follow the contribution guidelines, but it's very possible I did something wrong. Please let me know so I can do better next time.
Contribution checklist (*)
Resolved issues: