redisの接続先を環境変数経由で渡すとエラー？ #2

PharaohKJ · 2014-12-23T20:03:21Z

redisとtDiaryを別サーバで運用しようとしています。(もっと具体的にはdockerを使ってみています)

tDiaryの本プラグインからの接続先をREDIS_URL環境変数で渡すとエラーになる？のでしょうか。

予想ですが、これは、環境変数を用いているために危険だという、エラーということでしょうか。

回避方法などあれば教えて下さい。もしくは、引数にtdiary.confでserverとポートを書き、それを本プラグインから読むように拡張するしかないでしょうか？

環境変数は以下です。この環境変数を用いたのは https://github.com/redis/redis-rb#getting-started を参照ました。

REDIS_URL=redis://172.17.0.12:6379

tDiaryにアクセスすると表示されるエラーです。

Plugin Error

Errors in plugins? Retry to Update or Configure.

SecurityError
Insecure operation - getaddrinfo
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis/connection/ruby.rb:152:in `getaddrinfo'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis/connection/ruby.rb:152:in `connect'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis/connection/ruby.rb:211:in `connect'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis/client.rb:316:in `establish_connection'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis/client.rb:91:in `block in connect'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis/client.rb:273:in `with_reconnect'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis/client.rb:90:in `connect'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis/client.rb:337:in `ensure_connected'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis/client.rb:204:in `block in process'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis/client.rb:286:in `logging'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis/client.rb:203:in `process'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis/client.rb:109:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis.rb:784:in `block in get'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis.rb:37:in `block in synchronize'
/usr/local/lib/ruby/2.1.0/monitor.rb:211:in `mon_synchronize'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis.rb:37:in `synchronize'
/usr/local/lib/ruby/gems/2.1.0/gems/redis-3.2.0/lib/redis.rb:783:in `get'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-cache-redis-0.0.2/lib/tdiary/cache/redis.rb:54:in `restore_parser_cache'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/io/default.rb:180:in `transaction'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/view.rb:259:in `initialize'
(plugin/recent_list.rb):38:in `new'
(plugin/recent_list.rb):38:in `block (3 levels) in recent_list'
(plugin/recent_list.rb):36:in `reverse_each'
(plugin/recent_list.rb):36:in `block (2 levels) in recent_list'
(plugin/recent_list.rb):35:in `reverse_each'
(plugin/recent_list.rb):35:in `block in recent_list'
(plugin/recent_list.rb):34:in `catch'
(plugin/recent_list.rb):34:in `recent_list'
(TDiary::Plugin#eval_src):220:in `block in eval_src'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/plugin.rb:107:in `eval'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/plugin.rb:107:in `block in eval_src'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/core_ext.rb:121:in `block in safe'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/core_ext.rb:123:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/core_ext.rb:123:in `safe'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/plugin.rb:106:in `eval_src'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/base.rb:66:in `do_eval_rhtml'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/base.rb:30:in `eval_rhtml'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/dispatcher/index_main.rb:43:in `run'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/dispatcher/index_main.rb:6:in `run'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/dispatcher.rb:26:in `dispatch_cgi'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/dispatcher.rb:21:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/rack/valid_request_path.rb:17:in `block in call'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/rack/valid_request_path.rb:16:in `each'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/rack/valid_request_path.rb:16:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/rack/static.rb:15:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/rack/html_anchor.rb:20:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/urlmap.rb:65:in `block in call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `each'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/urlmap.rb:65:in `block in call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `each'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/tdiary-4.1.0.20141126/lib/tdiary/application.rb:40:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/reloader.rb:44:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/lint.rb:49:in `_call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/lint.rb:37:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/showexceptions.rb:24:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/commonlogger.rb:33:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/chunked.rb:43:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/rack-1.5.2/lib/rack/content_length.rb:14:in `call'
/usr/local/lib/ruby/gems/2.1.0/gems/unicorn-4.8.3/lib/unicorn/http_server.rb:576:in `process_client'
/usr/local/lib/ruby/gems/2.1.0/gems/unicorn-4.8.3/lib/unicorn/http_server.rb:670:in `worker_loop'
/usr/local/lib/ruby/gems/2.1.0/gems/unicorn-4.8.3/lib/unicorn/http_server.rb:525:in `spawn_missing_workers'
/usr/local/lib/ruby/gems/2.1.0/gems/unicorn-4.8.3/lib/unicorn/http_server.rb:140:in `start'
/usr/local/lib/ruby/gems/2.1.0/gems/unicorn-4.8.3/bin/unicorn:126:in `<top (required)>'
/usr/local/bin/unicorn:23:in `load'
/usr/local/bin/unicorn:23:in `<main>'

The text was updated successfully, but these errors were encountered:

hsbt · 2014-12-24T00:55:07Z

報告ありがとうございます。SecurityError と表示されているので、ENV['REDIS_URL'] が $SAFE > 0 な状態で tainted になっているようです。回避手段はあるので調べてみます。

minimum2scp · 2015-09-12T14:50:26Z

私も最近同じ例外が起きて調べました。

私の場合はデータを tdiary-io-rdb を使って MySQL に入れて、tdiary 本体は複数のコンテナで動かして
負荷分散させる構成にしたところ日記を更新したら当然のようにキャッシュは片方しか更新されなくて、
リロードのたびに最新の日記が表示されたりされなかったり…という現象が起きて、そうかここで
tdiary-cache-redis 使うんだな、と試してみたところ、同じ例外となりました。

tdiary-cache-redis なしでも環境変数 REDIS_URL をセットして $SAFE=1 で Redis.new.keys
すれば例外を起こせましたので、まずはそれをはっておきます。

debian@bcd98a007ca2% export REDIS_URL='redis://172.17.0.2:6379'
debian@bcd98a007ca2% mkdir redis-with-redis-url && cd redis-with-redis-url
debian@bcd98a007ca2% bundle init
debian@bcd98a007ca2% echo "gem 'redis'" >> Gemfile
debian@bcd98a007ca2% bundle install --quiet
debian@bcd98a007ca2% ruby -rbundler/setup -rredis -ve '$SAFE=1; p r=Redis.new; p r.keys'
ruby 2.2.3p173 (2015-08-18 revision 51636) [x86_64-linux]
#<Redis client v3.2.1 for redis://172.17.0.2:6379/0>
/home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis/connection/ruby.rb:152:in `getaddrinfo': Insecure operation - getaddrinfo (SecurityError)
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis/connection/ruby.rb:152:in `connect'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis/connection/ruby.rb:211:in `connect'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis/client.rb:322:in `establish_connection'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis/client.rb:94:in `block in connect'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis/client.rb:279:in `with_reconnect'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis/client.rb:93:in `connect'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis/client.rb:350:in `ensure_connected'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis/client.rb:207:in `block in process'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis/client.rb:292:in `logging'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis/client.rb:206:in `process'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis/client.rb:112:in `call'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis.rb:441:in `block in keys'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis.rb:37:in `block in synchronize'
    from /opt/rbenv/versions/2.2.3/lib/ruby/2.2.0/monitor.rb:211:in `mon_synchronize'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis.rb:37:in `synchronize'
    from /home/debian/redis-with-redis-url/vendor/bundle/ruby/2.2.0/gems/redis-3.2.1/lib/redis.rb:440:in `keys'
    from -e:1:in `<main>'

環境変数を untaint する、という方法は、単純にやってもだめでした。
（ENV["REDIS_URL"] を dup して untaint して代入しなおしても、ENV["REDIS_URL"] で再度参照すると tainted になるのですね…）

debian@bcd98a007ca2% ruby -rbundler/setup -rredis -e 'ENV["REDIS_URL"].tainted?; a=ENV["REDIS_URL"].untaint'
-e:1:in `untaint': can't modify frozen String (RuntimeError)
    from -e:1:in `<main>'
debian@bcd98a007ca2% ruby -rbundler/setup -rredis -e 'a=ENV["REDIS_URL"].dup.untaint; p [a, a.tainted?]; ENV["REDIS_URL"]=a; b=ENV["REDIS_URL"]; p [b, b.tainted?]'
["redis://172.17.0.2:6379", false]
["redis://172.17.0.2:6379", true]

tdiary.conf で Redis.new の引数を書けるようにして、環境変数 REDIS_URL は使わない方がいいのかなあと思いましたが、
ふと hiredis gem を使ってみたところ、接続できました。

debian@bcd98a007ca2% echo "gem 'hiredis'" >> Gemfile
debian@bcd98a007ca2% bundle install --quiet
debian@bcd98a007ca2% ruby -rbundler/setup -rredis -rredis/connection/hiredis -e '$SAFE=1; p r=Redis.new; p r.keys'
#<Redis client v3.2.1 for redis://172.17.0.2:6379/0>
["test"]

ということで、 tdiary-cache-redis は Redis.new の引数を tdiary.conf から読めるようにするか、
もしくは tdiary-cache-redis の依存 gem に hiredis を追加して require "redis/connection/hiredis" を追加する、
あるいは tdiary-core の Gemfile.local で

gem "hiredis"
gem "redis", require: ["redis", "redis/connection/hiredis"]
gem "tdiary-cache-redis"

と書いてしまう、という手もありますね。
（Gemfile.localで対応しちゃう場合は tdiary-core も tdiary-cache-redis も修正不要です…がなんというバッドノウハウ）

`Security Error Insecure operation - getaddrinfo` happens when `Redis.new` using `REDIS_URL` within `$SAFE=1` see also: tdiary/tdiary-cache-redis#2

minimum2scp added a commit to minimum2scp/dockerfiles that referenced this issue Sep 12, 2015

load hiredis to avoid security error

b0cb780

`Security Error Insecure operation - getaddrinfo` happens when `Redis.new` using `REDIS_URL` within `$SAFE=1` see also: tdiary/tdiary-cache-redis#2

minimum2scp added a commit to minimum2scp/magellan-tdiary that referenced this issue Mar 22, 2016

load hiredis to avoid security error

8558a44

`Security Error Insecure operation - getaddrinfo` happens when `Redis.new` using `REDIS_URL` within `$SAFE=1` see also: tdiary/tdiary-cache-redis#2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

redisの接続先を環境変数経由で渡すとエラー？ #2

redisの接続先を環境変数経由で渡すとエラー？ #2

PharaohKJ commented Dec 23, 2014

hsbt commented Dec 24, 2014

minimum2scp commented Sep 12, 2015

redisの接続先を環境変数経由で渡すとエラー？ #2

redisの接続先を環境変数経由で渡すとエラー？ #2

Comments

PharaohKJ commented Dec 23, 2014

hsbt commented Dec 24, 2014

minimum2scp commented Sep 12, 2015