Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(job-queue-plugin): Use multiple BullMQ queues instead of one #3108

Open
wants to merge 35 commits into
base: minor
Choose a base branch
from

Conversation

dlhck
Copy link
Collaborator

@dlhck dlhck commented Oct 5, 2024

Description

Refactors the bullmq-job-queue-strategy to use a separate BullMQ queue for every Vendure job queue. This should improve the stability and issues with horizontally scaled worker instances. The current implementation pushes all jobs to a single BullMQ queue called vendure-job-queue, which is not best practice.

Resolves #2419 and #1726

Breaking changes

There is no breaking change.

Checklist

📌 Always:

  • I have set a clear title
  • My PR is small and contains a single feature

👍 Most of the time:

  • I have added or updated test cases
  • I have updated the README if needed

Copy link

vercel bot commented Oct 5, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
docs ✅ Ready (Inspect) Visit Preview Dec 2, 2024 9:21pm

@dlhck
Copy link
Collaborator Author

dlhck commented Oct 5, 2024

There is currently one major problem in the core implementation: Every job needs to have a unique ID. But with BullMQ the IDs are only unique within the sequence of a queue. This is the core issue that still needs to be resolved.

Edit: This has been solved by using a combination of the queue name and the BullMQ job ID as a unique ID

@dlhck
Copy link
Collaborator Author

dlhck commented Oct 6, 2024

@michaelbromley we are running into an issue, that it is not possible to display a list of all jobs from all queues in all states (aka the default list view). This is because of limitations of the BullMQ library and the way how the Redis keys are structured.

I see two options here:

  • Not support the default list view at all
  • Change the list view implementation to make it possible to disable the initial state (no filters) and automatically select the first queue (ergo only make it possible to view jobs filtered by queue)

@dlhck dlhck self-assigned this Oct 6, 2024
@dlhck dlhck requested a review from michaelbromley October 7, 2024 11:51
@dlhck dlhck marked this pull request as ready for review October 7, 2024 12:55
github-actions bot and others added 13 commits November 27, 2024 12:25
added await to db query causing the value to be promise and causing server crash

Issue#2868
Fixes #3217. The sanitization that was introduced to fix a local file
traversal attack was overly-aggressive when using s3 and caused it to
break in certain cases.
This property was moved onto the InspectableJobQueueStrategy interface, since
it is tightly bound to a specific strategy, and should not be settable
from elsewhere, like with regular VendureConfig options.
Copy link
Contributor


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.


I have read the CLA Document and I hereby sign the CLA


8 out of 9 committers have signed the CLA.
✅ (dlhck)[https://github.com/dlhck]
✅ (DeltaSAMP)[https://github.com/DeltaSAMP]
✅ (xiopipe)[https://github.com/xiopipe]
✅ (michaelbromley)[https://github.com/michaelbromley]
✅ (Rana-Faraz)[https://github.com/Rana-Faraz]
✅ (Draykee)[https://github.com/Draykee]
✅ (taxilian)[https://github.com/taxilian]
✅ (martijnvdbrug)[https://github.com/martijnvdbrug]
@emmanuel-ferdman
You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

// For S3 storage, we don't need to sanitize the path because
// directory traversal attacks are not possible, and modifying the
// path in this way can s3 files to be not found.
return path.normalize(decodedPath).replace(/(\.\.[\/\\])+/, '');

Check failure

Code scanning / CodeQL

Incomplete multi-character sanitization High

This string may still contain
../
, which may cause a path injection vulnerability.

Copilot Autofix AI 21 days ago

To fix the problem, we need to ensure that all instances of ../ or ..\ are removed from the input path. One effective way to achieve this is to repeatedly apply the regular expression replacement until no more replacements can be performed. This ensures that all occurrences of the targeted pattern are removed.

We will modify the sanitizeFilePath method to repeatedly apply the regular expression replacement until the input path no longer contains any ../ or ..\ sequences.

Suggested changeset 1
packages/asset-server-plugin/src/asset-server.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/asset-server-plugin/src/asset-server.ts b/packages/asset-server-plugin/src/asset-server.ts
--- a/packages/asset-server-plugin/src/asset-server.ts
+++ b/packages/asset-server-plugin/src/asset-server.ts
@@ -264,3 +264,7 @@
             // path in this way can s3 files to be not found.
-            return path.normalize(decodedPath).replace(/(\.\.[\/\\])+/, '');
+            let sanitizedPath = path.normalize(decodedPath);
+            while (sanitizedPath.includes('..')) {
+                sanitizedPath = sanitizedPath.replace(/(\.\.[\/\\])+/, '');
+            }
+            return sanitizedPath;
         } else {
EOF
@@ -264,3 +264,7 @@
// path in this way can s3 files to be not found.
return path.normalize(decodedPath).replace(/(\.\.[\/\\])+/, '');
let sanitizedPath = path.normalize(decodedPath);
while (sanitizedPath.includes('..')) {
sanitizedPath = sanitizedPath.replace(/(\.\.[\/\\])+/, '');
}
return sanitizedPath;
} else {
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@michaelbromley
Copy link
Member

I got sucked down a deep rabbithole on this today. I think I'm pretty close to done, but this is much more subtly complex than I first thought.

I established some e2e tests, but things are still buggy in manual testing and I don't have time to finish this now for v3.1.

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@dlhck dlhck added this to the v3.2.0 milestone Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: ♻️ In progress
Development

Successfully merging this pull request may close these issues.

9 participants