mirrors/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-05-14 05:41:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
seaweedfs/weed/util/fullpath_test.go
Chris Lu da2e90aefd fix(mount): sanitize non-UTF-8 filenames; keep marshal errors per-request (#9207) 
* fix(mount): sanitize non-UTF-8 filenames; keep marshal errors per-request (#9139)

A single file with invalid-UTF-8 bytes in its name (e.g. a GNOME Trash
"partial" like \x10\x98=\\\x8a\x7f.trashinfo.9a51454f.partial) made every
FUSE-initiated filer RPC fail with:

  rpc error: code = Internal desc = grpc: error while marshaling:
  string field contains invalid UTF-8

and then produced an avalanche of "connection is closing" errors on
unrelated LookupEntry / ReadDirAll / UpdateEntry calls, causing the
volume-server QPS dips reported in #9139.

Root cause is twofold:

1. Proto3 `string` fields require valid UTF-8, but the FUSE kernel passes
   raw name bytes. Create/Mknod/Mkdir/Unlink/Rmdir/Rename/Lookup/Link/
   Symlink all forwarded those bytes directly into CreateEntryRequest.Name,
   DeleteEntryRequest.Name, StreamRenameEntryRequest.{Old,New}Name and
   Entry.Name. saveDataAsChunk also copied the FullPath into
   AssignVolumeRequest.Path unchecked.

2. When the marshal failed, shouldInvalidateConnection treated the
   resulting codes.Internal as a connection problem and dropped the
   shared cached ClientConn — canceling every other in-flight RPC on it.

Fix:

- Add sanitizeFuseName (strings.ToValidUTF8 with '?' replacement, matching
  util.FullPath.DirAndName) and make checkName return the sanitized name.
  Apply at every FUSE entry point that passes a name to the filer RPC,
  including Unlink/Rmdir (which did not previously call checkName) and
  both oldName/newName in Rename. Add a backstop scrub for
  AssignVolumeRequest.Path so async flush paths cannot reintroduce
  invalid bytes from a pre-sanitization cached FullPath.

- In weed/pb.shouldInvalidateConnection, detect client-side marshal
  errors via the gRPC library's "error while marshaling" prefix and
  return false: the connection is healthy, only the request is bad.

Refs: https://github.com/seaweedfs/seaweedfs/issues/9139#issuecomment-4301184231

* fix(mount,util): use '_' for invalid-UTF-8 replacement (URL-safe)

Sanitized filenames flow downstream into HTTP URLs (volume-server uploads,
filer HTTP API, S3/WebDAV gateways). '?' is the URL query-string
delimiter and would split the path the first time the name lands in one,
so swap every invalid-UTF-8 replacement to '_'. This covers the two
pre-existing sites in weed/util/fullpath.go as well, keeping all paths
sanitized the same way.

* refactor(pb): detect client-side marshal errors via errors.As, not substring

Replace the raw `strings.Contains(err.Error(), ...)` check with a
type-based carve-out: use errors.As against the `GRPCStatus() *Status`
interface to pull the original Status out of any fmt.Errorf("...: %w")
wrapping, then match the library-owned "grpc:" prefix on that Status's
Message.

Why not errors.Is against a proto-level sentinel: gRPC's encode()
collapses the inner proto error with "%v" (stringification) before
wrapping it in a Status, so the original error type does not survive
into the caller. The Status itself is the structural signal that does
survive.

Why not status.FromError: when the caller wraps the Status error with
fmt.Errorf("...: %w", ...), status.FromError rewrites Status.Message
with the full err.Error() of the outermost wrapper, which defeats a
prefix check on the library-owned message. errors.As gives us the
original Status whose Message is still verbatim from the gRPC library.

A new test asserts that a plain errors.New("grpc: error while marshaling: …")
— i.e. the same text attached to something that is NOT a gRPC status —
does not short-circuit invalidation, so we never silently keep a cached
connection alive based on a coincidental substring match.

* refactor(util): centralize UTF-8 sanitization; add FullPath.Sanitized

Addresses review feedback on PR #9207.

Nitpick: every invalid-UTF-8 replacement across the codebase (DirAndName,
Name, mount.sanitizeFuseName, the weedfs_write.go backstop) now goes
through a single util.SanitizeUTF8Name helper, so the replacement char
('_' — URL-safe) is chosen in one place.

Outside-diff: three proto fields took raw FullPath strings that could
break marshaling if an entry ever carried invalid UTF-8
(CreateEntryRequest.Directory in Mkdir, DeleteEntryRequest.Directory in
Unlink, AssignVolumeRequest.Path in command_fs_merge_volumes). The
reviewer's suggested fix — using DirAndName() — would have silently
changed Directory from parent to grandparent, because DirAndName
sanitizes only the trailing component. Added FullPath.Sanitized(), which
scrubs every component, and applied it at the three sites. Exposure is
narrow in practice (FUSE-boundary sanitization and the gRPC-side
isClientSideMarshalError carve-out already cover the #9139 cascade),
but the defense-in-depth is cheap and consistent with the existing
AssignVolume backstop.

New tests in weed/util/fullpath_test.go document:
- SanitizeUTF8Name: valid UTF-8 passes through unchanged; invalid bytes
  become '_' (not '?', which is URL-special).
- FullPath.Sanitized: scrubs bytes in any component, not just the last.
- FullPath.DirAndName: dir remains raw on purpose — callers needing a
  clean full path must use Sanitized(). The test pins this behavior so
  it is not accidentally "fixed" in a way that changes the (dir, name)
  semantics callers depend on.
2026-04-23 19:17:35 -07:00

85 lines
3.0 KiB
Go
Raw Permalink Blame History

package util
import (
"strings"
"testing"
"unicode/utf8"
)
// TestSanitizeUTF8Name_ValidPassThrough asserts the fast path returns the
// input unchanged (no allocation, no byte alteration).
func TestSanitizeUTF8Name_ValidPassThrough(t *testing.T) {
for _, s := range []string{
"",
"plain.txt",
"日本語.txt",
"🦑 squid",
} {
if got := SanitizeUTF8Name(s); got != s {
t.Fatalf("SanitizeUTF8Name(%q) = %q, want unchanged", s, got)
}
}
}
// TestSanitizeUTF8Name_InvalidBytes asserts invalid bytes are replaced with a
// single '_' (URL-safe, single-byte) and the output is valid UTF-8. The
// replacement char is load-bearing — downstream code places these strings in
// HTTP URLs, where '?' would be parsed as the query delimiter.
func TestSanitizeUTF8Name_InvalidBytes(t *testing.T) {
out := SanitizeUTF8Name("foo\x80bar")
if !utf8.ValidString(out) {
t.Fatalf("result is not valid UTF-8: %q", out)
}
if out != "foo_bar" {
t.Fatalf("SanitizeUTF8Name = %q, want %q", out, "foo_bar")
}
if strings.ContainsRune(out, '?') {
t.Fatalf("replacement must be URL-safe, got %q", out)
}
}
// TestFullPathSanitized_WholePath ensures Sanitized() scrubs invalid bytes in
// every component, not just the last — that's the difference from Name() and
// the reason call sites that need to pass a full path to a proto field must
// use Sanitized(), not (dir, _) := DirAndName().
func TestFullPathSanitized_WholePath(t *testing.T) {
// Invalid byte sits in the middle component.
fp := FullPath("/home/bad\x80dir/file.txt")
got := fp.Sanitized()
want := "/home/bad_dir/file.txt"
if got != want {
t.Fatalf("Sanitized() = %q, want %q", got, want)
}
// Bytes in every component — all get replaced, structure preserved.
fp = FullPath("/a\xffb/c\xffd/e\xfff")
got = fp.Sanitized()
want = "/a_b/c_d/e_f"
if got != want {
t.Fatalf("Sanitized() = %q, want %q", got, want)
}
if !utf8.ValidString(got) {
t.Fatalf("Sanitized() returned non-UTF-8: %q", got)
}
}
// TestFullPathDirAndName_OnlyNameSanitized documents a (deliberate) sharp
// edge: DirAndName() sanitizes only the trailing name, not dir. Callers who
// need a sanitized full path must use Sanitized(); using dir from DirAndName
// will still carry invalid bytes in parent components. This test pins the
// existing behavior so it is not accidentally "fixed" in a way that changes
// the (dir, name) semantics that everything else depends on.
func TestFullPathDirAndName_OnlyNameSanitized(t *testing.T) {
fp := FullPath("/home/bad\x80dir/child\xffname")
dir, name := fp.DirAndName()
if !utf8.ValidString(name) {
t.Fatalf("name must be sanitized: %q", name)
}
// dir still contains the invalid byte — this is by design, because dir is
// used positionally (e.g. as a parent key) and changing its bytes would
// change identity. Sanitized() is the method to use for proto fields.
if utf8.ValidString(dir) {
t.Fatalf("regression: dir should remain raw (%q); callers needing a clean path must use Sanitized()", dir)
}
}
Reference in New Issue View Git Blame Copy Permalink