Merge pull request #16287 from rabbitmq/mergify/bp/v4.2.x/pr-16286

michaelklishin · web-flow · commit d16dda101104 · 2026-05-02T02:24:52.000-07:00
By @lukebakken: Fix three stream argument validation bugs (backport #16285) (backport #16286)
diff --git a/deps/rabbit/Makefile b/deps/rabbit/Makefile
@@ -252,7 +252,7 @@ define ct_master.erl
 	halt(0)
 endef
 
-PARALLEL_CT_SET_1_A = unit_rabbit_ssl unit_cluster_formation_locking_mocks unit_cluster_formation_sort_nodes unit_collections unit_config_value_encryption unit_connection_tracking
+PARALLEL_CT_SET_1_A = unit_rabbit_ssl unit_cluster_formation_locking_mocks unit_cluster_formation_sort_nodes unit_collections unit_config_value_encryption unit_connection_tracking unit_stream_arg_validation
 PARALLEL_CT_SET_1_B = amqp_address amqp_auth amqp_credit_api_v2 amqp_filter_prop amqp_filter_sql amqp_filter_sql_unit amqp_dotnet amqp_jms signal_handling single_active_consumer unit_access_control_authn_authz_context_propagation unit_access_control_credential_validation unit_amqp091_content_framing unit_amqp091_server_properties unit_app_management
 PARALLEL_CT_SET_1_C = amqp_proxy_protocol amqpl_consumer_ack bindings rabbit_db_maintenance rabbit_db_msup rabbit_db_policy rabbit_db_queue rabbit_db_topic_exchange cluster_limit cluster_minority default_queue_type_prop passive_declare_permission term_to_binary_compat_prop topic_permission unicode unit_access_control user_tags_count_limit
 PARALLEL_CT_SET_1_D = amqqueue_backward_compatibility channel_interceptor channel_operation_timeout classic_queue_prop config_schema peer_discovery_dns peer_discovery_tmp_hidden_node per_node_limit per_user_connection_channel_limit
@@ -272,7 +272,7 @@ PARALLEL_CT_SET_4_B = per_user_connection_tracking per_vhost_connection_limit ra
 PARALLEL_CT_SET_4_C = msg_size_metrics unit_msg_size_metrics per_vhost_msg_store per_vhost_queue_limit priority_queue upgrade_preparation vhost
 PARALLEL_CT_SET_4_D = per_user_connection_channel_tracking product_info queue_type rabbitmq_queues_cli_integration rabbitmq_streams_cli_integration rabbitmqctl_integration rabbitmqctl_shutdown routing rabbit_amqqueue
 
-PARALLEL_CT_SET_5_A = consumer_recheck_prop rabbit_direct_reply_to_prop direct_reply_to_amqpl direct_reply_to_amqp classic_queue
+PARALLEL_CT_SET_5_A = consumer_recheck_prop rabbit_direct_reply_to_prop prop_stream_arg_validation direct_reply_to_amqpl direct_reply_to_amqp classic_queue
 PARALLEL_CT_SET_5_B = feature_flags_v2 backing_queue transactions
 PARALLEL_CT_SET_5_C = metadata_store_migration cluster_upgrade maintenance_mode
 PARALLEL_CT_SET_5_D = rabbit_fifo_dlx_integration publisher_confirms_parallel
diff --git a/deps/rabbit/src/rabbit_amqqueue.erl b/deps/rabbit/src/rabbit_amqqueue.erl
@@ -1062,14 +1062,13 @@ check_max_age_arg({Type,    _}, _Args) ->
     {error, {unacceptable_type, Type}}.
 
 check_max_age(MaxAge) ->
-    case re:run(MaxAge, "(^[0-9]*)(.*)", [{capture, all_but_first, list}]) of
+    case re:run(MaxAge, "(^[0-9]+)(.*)", [{capture, all_but_first, list}]) of
         {match, [Value, Unit]} ->
             case list_to_integer(Value) of
                 I when I > 0 ->
                     case lists:member(Unit, ["Y", "M", "D", "h", "m", "s"]) of
                         true ->
-                            Int = list_to_integer(Value),
-                            Int * unit_value_in_ms(Unit);
+                            I * unit_value_in_ms(Unit);
                         false ->
                             {error, invalid_max_age}
                     end;
diff --git a/deps/rabbit/src/rabbit_stream_queue.erl b/deps/rabbit/src/rabbit_stream_queue.erl
@@ -178,9 +178,14 @@ check_filter_size(Q) ->
     case rabbit_misc:table_lookup(Args, <<"x-stream-filter-size-bytes">>) of
         undefined ->
             ok;
+        {Type, _Val} when Type =/= long, Type =/= short, Type =/= signedint,
+                           Type =/= unsignedint, Type =/= unsignedbyte,
+                           Type =/= unsignedshort, Type =/= byte ->
+            {protocol_error, precondition_failed,
+             "Invalid type for x-stream-filter-size-bytes", []};
         {_Type, Val} when Val > 255 orelse Val < 16 ->
             {protocol_error, precondition_failed,
-             "Invalid value for  x-stream-filter-size-bytes", []};
+             "Invalid value for x-stream-filter-size-bytes", []};
         _ ->
             ok
     end.
@@ -1454,6 +1459,7 @@ capabilities() ->
                                <<"dead-letter-strategy">>, <<"target-group-size">>],
       queue_arguments => [<<"x-max-length-bytes">>, <<"x-queue-type">>,
                           <<"x-max-age">>, <<"x-stream-max-segment-size-bytes">>,
+                          <<"x-stream-filter-size-bytes">>,
                           <<"x-initial-cluster-size">>, <<"x-queue-leader-locator">>],
       consumer_arguments => [<<"x-stream-offset">>,
                              <<"x-stream-filter">>,
diff --git a/deps/rabbit/test/prop_stream_arg_validation_SUITE.erl b/deps/rabbit/test/prop_stream_arg_validation_SUITE.erl
@@ -0,0 +1,82 @@
+%% This Source Code Form is subject to the terms of the Mozilla Public
+%% License, v. 2.0. If a copy of the MPL was not distributed with this
+%% file, You can obtain one at https://mozilla.org/MPL/2.0/.
+%%
+%% Copyright (c) 2007-2026 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
+
+-module(prop_stream_arg_validation_SUITE).
+
+-compile(nowarn_export_all).
+-compile(export_all).
+
+-include_lib("proper/include/proper.hrl").
+-include_lib("common_test/include/ct.hrl").
+
+-define(ITERATIONS, 1000).
+
+all() ->
+    [
+     prop_valid_max_age,
+     prop_invalid_max_age_no_leading_digits,
+     prop_invalid_max_age_invalid_unit
+    ].
+
+%% -------------------------------------------------------------------
+%% Suite setup/teardown.
+%% -------------------------------------------------------------------
+
+init_per_suite(Config) ->
+    rabbit_ct_helpers:log_environment(),
+    rabbit_ct_helpers:run_setup_steps(Config).
+
+end_per_suite(Config) ->
+    rabbit_ct_helpers:run_teardown_steps(Config).
+
+init_per_testcase(Testcase, Config) ->
+    rabbit_ct_helpers:testcase_started(Config, Testcase).
+
+end_per_testcase(Testcase, Config) ->
+    rabbit_ct_helpers:testcase_finished(Config, Testcase).
+
+%% -------------------------------------------------------------------
+%% Properties: rabbit_amqqueue:check_max_age/1.
+%% Pure function; no broker required.
+%% -------------------------------------------------------------------
+
+prop_valid_max_age(_Config) ->
+    rabbit_ct_proper_helpers:run_proper(fun prop_valid_max_age_body/0, [], ?ITERATIONS).
+
+prop_valid_max_age_body() ->
+    ValidUnits = ["Y", "M", "D", "h", "m", "s"],
+    ?FORALL({N, Unit}, {pos_integer(), elements(ValidUnits)},
+        begin
+            MaxAge = list_to_binary(integer_to_list(N) ++ Unit),
+            Result = rabbit_amqqueue:check_max_age(MaxAge),
+            is_integer(Result) andalso Result > 0
+        end).
+
+prop_invalid_max_age_no_leading_digits(_Config) ->
+    rabbit_ct_proper_helpers:run_proper(
+      fun prop_invalid_max_age_no_leading_digits_body/0, [], ?ITERATIONS).
+
+prop_invalid_max_age_no_leading_digits_body() ->
+    %% ASCII digits occupy 48..57; any other first byte means no leading digits.
+    NonDigitByte = ?SUCHTHAT(C, byte(), C < $0 orelse C > $9),
+    ?FORALL({First, Rest}, {NonDigitByte, binary()},
+        begin
+            MaxAge = <<First, Rest/binary>>,
+            {error, invalid_max_age} =:= rabbit_amqqueue:check_max_age(MaxAge)
+        end).
+
+prop_invalid_max_age_invalid_unit(_Config) ->
+    rabbit_ct_proper_helpers:run_proper(
+      fun prop_invalid_max_age_invalid_unit_body/0, [], ?ITERATIONS).
+
+prop_invalid_max_age_invalid_unit_body() ->
+    ValidUnits = ["Y", "M", "D", "h", "m", "s"],
+    BadUnitChar = ?SUCHTHAT(C, choose($A, $z), not lists:member([C], ValidUnits)),
+    ?FORALL({N, UnitChar}, {pos_integer(), BadUnitChar},
+        begin
+            MaxAge = list_to_binary(integer_to_list(N) ++ [UnitChar]),
+            {error, invalid_max_age} =:= rabbit_amqqueue:check_max_age(MaxAge)
+        end).
diff --git a/deps/rabbit/test/rabbit_stream_queue_SUITE.erl b/deps/rabbit/test/rabbit_stream_queue_SUITE.erl
@@ -344,6 +344,13 @@ declare_max_age(Config) ->
                [{<<"x-queue-type">>, longstr, <<"stream">>},
                 {<<"x-max-age">>, longstr, <<"1A">>}])),
 
+    %% "D" has no leading digits; must return a clean error, not crash
+    ?assertExit(
+       {{shutdown, {server_initiated_close, 406, _}}, _},
+       declare(Config, Server, Q,
+               [{<<"x-queue-type">>, longstr, <<"stream">>},
+                {<<"x-max-age">>, longstr, <<"D">>}])),
+
     ?assertEqual({'queue.declare_ok', Q, 0, 0},
                  declare(Config, Server, Q, [{<<"x-queue-type">>, longstr, <<"stream">>},
                                              {<<"x-max-age">>, longstr, <<"1Y">>}])),
@@ -401,11 +408,18 @@ declare_invalid_filter_size(Config) ->
     Server = rabbit_ct_broker_helpers:get_node_config(Config, 0, nodename),
     Q = ?config(queue_name, Config),
 
-    ExpectedError = <<"PRECONDITION_FAILED - Invalid value for  x-stream-filter-size-bytes">>,
+    ExpectedError = <<"PRECONDITION_FAILED - Invalid value for x-stream-filter-size-bytes">>,
     ?assertExit(
        {{shutdown, {server_initiated_close, 406, ExpectedError}}, _},
        declare(Config, Server, Q, [{<<"x-queue-type">>, longstr, <<"stream">>},
-                                   {<<"x-stream-filter-size-bytes">>, long, 256}])).
+                                   {<<"x-stream-filter-size-bytes">>, long, 256}])),
+
+    %% `x-stream-filter-size-bytes` is now in stream capabilities, so `check_non_neg_int_arg/2`
+    %% runs during declare argument validation and rejects non-integer types
+    ?assertExit(
+       {{shutdown, {server_initiated_close, 406, _}}, _},
+       declare(Config, Server, Q, [{<<"x-queue-type">>, longstr, <<"stream">>},
+                                   {<<"x-stream-filter-size-bytes">>, longstr, <<"128">>}])).
 
 consume_invalid_arg(Config) ->
     Server = rabbit_ct_broker_helpers:get_node_config(Config, 0, nodename),
diff --git a/deps/rabbit/test/unit_stream_arg_validation_SUITE.erl b/deps/rabbit/test/unit_stream_arg_validation_SUITE.erl
@@ -0,0 +1,211 @@
+%% This Source Code Form is subject to the terms of the Mozilla Public
+%% License, v. 2.0. If a copy of the MPL was not distributed with this
+%% file, You can obtain one at https://mozilla.org/MPL/2.0/.
+%%
+%% Copyright (c) 2007-2026 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
+
+-module(unit_stream_arg_validation_SUITE).
+
+-compile(nowarn_export_all).
+-compile(export_all).
+
+-include_lib("common_test/include/ct.hrl").
+-include_lib("eunit/include/eunit.hrl").
+-include_lib("amqp_client/include/amqp_client.hrl").
+
+suite() ->
+    [{timetrap, {minutes, 5}}].
+
+all() ->
+    [
+     {group, unit},
+     {group, integration}
+    ].
+
+groups() ->
+    [
+     {unit, [parallel],
+      [check_max_age_empty_string,
+       check_max_age_no_leading_digits,
+       check_max_age_zero_count,
+       check_max_age_valid_units,
+       check_max_age_invalid_unit]},
+     {integration, [parallel],
+      [filter_size_lower_bound,
+       filter_size_upper_bound,
+       filter_size_below_lower_bound,
+       filter_size_zero,
+       filter_size_float,
+       filter_size_on_classic_queue]}
+    ].
+
+%% -------------------------------------------------------------------
+%% Suite setup/teardown.
+%% -------------------------------------------------------------------
+
+init_per_suite(Config) ->
+    rabbit_ct_helpers:log_environment(),
+    rabbit_ct_helpers:run_setup_steps(Config).
+
+end_per_suite(Config) ->
+    rabbit_ct_helpers:run_teardown_steps(Config).
+
+init_per_group(unit, Config) ->
+    Config;
+init_per_group(integration, Config) ->
+    Config1 = rabbit_ct_helpers:set_config(Config,
+                                           [{rmq_nodename_suffix, integration},
+                                            {rmq_nodes_count, 1}]),
+    rabbit_ct_helpers:run_steps(Config1,
+                                rabbit_ct_broker_helpers:setup_steps() ++
+                                rabbit_ct_client_helpers:setup_steps()).
+
+end_per_group(unit, _Config) ->
+    ok;
+end_per_group(integration, Config) ->
+    rabbit_ct_helpers:run_steps(Config,
+                                rabbit_ct_client_helpers:teardown_steps() ++
+                                rabbit_ct_broker_helpers:teardown_steps()).
+
+init_per_testcase(Testcase, Config) ->
+    Config1 = rabbit_ct_helpers:testcase_started(Config, Testcase),
+    Q = rabbit_data_coercion:to_binary(Testcase),
+    rabbit_ct_helpers:set_config(Config1, [{queue_name, Q}]).
+
+end_per_testcase(Testcase, Config) ->
+    rabbit_ct_helpers:testcase_finished(Config, Testcase).
+
+%% -------------------------------------------------------------------
+%% Unit tests: rabbit_amqqueue:check_max_age/1.
+%% Pure function; no broker required.
+%% -------------------------------------------------------------------
+
+check_max_age_empty_string(_Config) ->
+    ?assertEqual({error, invalid_max_age}, rabbit_amqqueue:check_max_age(<<>>)).
+
+check_max_age_no_leading_digits(_Config) ->
+    ?assertEqual({error, invalid_max_age}, rabbit_amqqueue:check_max_age(<<"D">>)),
+    ?assertEqual({error, invalid_max_age}, rabbit_amqqueue:check_max_age(<<"M">>)),
+    ?assertEqual({error, invalid_max_age}, rabbit_amqqueue:check_max_age(<<"Year">>)),
+    ?assertEqual({error, invalid_max_age}, rabbit_amqqueue:check_max_age(<<"-1D">>)).
+
+check_max_age_zero_count(_Config) ->
+    lists:foreach(
+      fun(Unit) ->
+              ?assertEqual({error, invalid_max_age},
+                           rabbit_amqqueue:check_max_age(list_to_binary("0" ++ Unit)))
+      end,
+      ["Y", "M", "D", "h", "m", "s"]).
+
+check_max_age_valid_units(_Config) ->
+    lists:foreach(
+      fun(Unit) ->
+              Result = rabbit_amqqueue:check_max_age(list_to_binary("10" ++ Unit)),
+              ?assert(is_integer(Result)),
+              ?assert(Result > 0)
+      end,
+      ["Y", "M", "D", "h", "m", "s"]).
+
+check_max_age_invalid_unit(_Config) ->
+    ?assertEqual({error, invalid_max_age}, rabbit_amqqueue:check_max_age(<<"1A">>)),
+    %% Lowercase y is not a valid unit; only uppercase Y is
+    ?assertEqual({error, invalid_max_age}, rabbit_amqqueue:check_max_age(<<"1y">>)),
+    %% Multiple trailing characters are not a valid unit
+    ?assertEqual({error, invalid_max_age}, rabbit_amqqueue:check_max_age(<<"1D2">>)).
+
+%% -------------------------------------------------------------------
+%% Integration tests: x-stream-filter-size-bytes validation.
+%% These tests require a running broker.
+%% -------------------------------------------------------------------
+
+filter_size_lower_bound(Config) ->
+    Server = rabbit_ct_broker_helpers:get_node_config(Config, 0, nodename),
+    Q = ?config(queue_name, Config),
+    ?assertEqual({'queue.declare_ok', Q, 0, 0},
+                 declare_stream(Config, Server, Q,
+                                [{<<"x-stream-filter-size-bytes">>, long, 16}])),
+    delete_queue(Config, Q).
+
+filter_size_upper_bound(Config) ->
+    Server = rabbit_ct_broker_helpers:get_node_config(Config, 0, nodename),
+    Q = ?config(queue_name, Config),
+    ?assertEqual({'queue.declare_ok', Q, 0, 0},
+                 declare_stream(Config, Server, Q,
+                                [{<<"x-stream-filter-size-bytes">>, long, 255}])),
+    delete_queue(Config, Q).
+
+filter_size_below_lower_bound(Config) ->
+    Server = rabbit_ct_broker_helpers:get_node_config(Config, 0, nodename),
+    Q = ?config(queue_name, Config),
+    ExpectedError = <<"PRECONDITION_FAILED - Invalid value for x-stream-filter-size-bytes">>,
+    ?assertExit(
+       {{shutdown, {server_initiated_close, 406, ExpectedError}}, _},
+       declare_stream(Config, Server, Q,
+                      [{<<"x-stream-filter-size-bytes">>, long, 15}])).
+
+filter_size_zero(Config) ->
+    Server = rabbit_ct_broker_helpers:get_node_config(Config, 0, nodename),
+    Q = ?config(queue_name, Config),
+    %% 0 satisfies `check_non_neg_int_arg/2` but still falls below the valid range
+    ExpectedError = <<"PRECONDITION_FAILED - Invalid value for x-stream-filter-size-bytes">>,
+    ?assertExit(
+       {{shutdown, {server_initiated_close, 406, ExpectedError}}, _},
+       declare_stream(Config, Server, Q,
+                      [{<<"x-stream-filter-size-bytes">>, long, 0}])).
+
+filter_size_float(Config) ->
+    Server = rabbit_ct_broker_helpers:get_node_config(Config, 0, nodename),
+    Q = ?config(queue_name, Config),
+    %% Before the fix, a float in [16.0, 255.0] was silently accepted because Erlang
+    %% compares floats and integers numerically, bypassing the `x-stream-filter-size-bytes`
+    %% range guard.
+    ?assertExit(
+       {{shutdown, {server_initiated_close, 406, _}}, _},
+       declare_stream(Config, Server, Q,
+                      [{<<"x-stream-filter-size-bytes">>, float, 32.0}])).
+
+filter_size_on_classic_queue(Config) ->
+    Server = rabbit_ct_broker_helpers:get_node_config(Config, 0, nodename),
+    Q = ?config(queue_name, Config),
+    %% `x-stream-filter-size-bytes` is now in stream capabilities and therefore in the
+    %% global queue_arguments union, so classic queues must reject it.
+    ?assertExit(
+       {{shutdown, {server_initiated_close, 406, _}}, _},
+       declare_classic(Config, Server, Q,
+                       [{<<"x-stream-filter-size-bytes">>, long, 32}])).
+
+%% -------------------------------------------------------------------
+%% Helpers.
+%% -------------------------------------------------------------------
+
+declare_stream(Config, Server, Q, ExtraArgs) ->
+    call_declare(Config, Server,
+                 #'queue.declare'{queue     = Q,
+                                  durable   = true,
+                                  arguments = [{<<"x-queue-type">>, longstr, <<"stream">>}
+                                               | ExtraArgs]}).
+
+declare_classic(Config, Server, Q, ExtraArgs) ->
+    call_declare(Config, Server,
+                 #'queue.declare'{queue     = Q,
+                                  durable   = true,
+                                  arguments = [{<<"x-queue-type">>, longstr, <<"classic">>}
+                                               | ExtraArgs]}).
+
+call_declare(Config, Server, Cmd) ->
+    Ch = rabbit_ct_client_helpers:open_channel(Config, Server),
+    Reply = amqp_channel:call(Ch, Cmd),
+    rabbit_ct_client_helpers:close_channel(Ch),
+    Reply.
+
+delete_queue(Config, Q) ->
+    rabbit_ct_broker_helpers:rpc(Config, 0, ?MODULE, do_delete_queue, [Q]).
+
+do_delete_queue(Name) ->
+    QName = rabbit_misc:r(<<"/">>, queue, Name),
+    case rabbit_amqqueue:lookup(QName) of
+        {ok, Q} ->
+            {ok, _} = rabbit_amqqueue:delete(Q, false, false, <<"dummy">>);
+        _ ->
+            ok
+    end.
