Skip to content

[Bugfix][Store] Reject invalid metadata client IDs#2990

Open
VectorPeak wants to merge 4 commits into
kvcache-ai:mainfrom
VectorPeak:codex/metadata-client-id-guard
Open

[Bugfix][Store] Reject invalid metadata client IDs#2990
VectorPeak wants to merge 4 commits into
kvcache-ai:mainfrom
VectorPeak:codex/metadata-client-id-guard

Conversation

@VectorPeak

Copy link
Copy Markdown
Contributor

Description

Reject malformed client_id values when MasterService::MetadataSerializer deserializes object metadata.

What Problem This Solves

DeserializeMetadata() read the serialized client_id string and called StringToUuid(client_id_str, client_id), but ignored the boolean result. If snapshot metadata contained a malformed client ID such as not-a-uuid, deserialization continued and could construct ObjectMetadata with an invalid UUID value instead of treating that entry as corrupt metadata.

A nearby sibling path already handles this strictly: the catalog-backed snapshot provider checks StringToUuid() and returns DESERIALIZE_FAIL for invalid client UUID strings. Replica msgpack deserialization also rejects invalid client IDs. This PR brings the master metadata deserializer in line with those paths.

Changes

  • Check the return value from StringToUuid() in DeserializeMetadata().
  • Return DESERIALIZE_FAIL with a targeted error message when the serialized metadata client ID is malformed.
  • Add a focused snapshot metadata regression test that builds a payload with client_id = not-a-uuid and verifies the object key is not restored into metadata.

The existing shard-level behavior is intentionally preserved: DeserializeShard() logs a per-object metadata deserialization failure and continues with the remaining entries.

Evidence

Before this change, the invalid client ID parse result was ignored:

UUID client_id;
StringToUuid(client_id_str, client_id);

The new test exercises the restore deserialization entry point with a malformed client ID payload:

BuildMetadataPayloadWithClientIdString(
    not-a-uuid, std::string_view(key.data(), key.size()))

and asserts that the bad entry is skipped instead of being restored:

EXPECT_FALSE(KeyExistsInMetadata(service_.get(), key));

Possible call chain / impact

snapshot metadata bytes
  -> MasterService::MetadataSerializer::Deserialize()
  -> DeserializeShard()
  -> DeserializeMetadata()
  -> StringToUuid(client_id_str, client_id)

This affects the master metadata restore/deserialization path for malformed persisted metadata. It does not change serialization output, valid UUID handling, replica parsing, or the shard-level policy that skips individual corrupt object entries.

Module

  • Transfer Engine (mooncake-transfer-engine)
  • Mooncake Store (mooncake-store)
  • Mooncake EP (mooncake-ep)
  • Mooncake PG (mooncake-pg)
  • Integration (mooncake-integration)
  • P2P Store (mooncake-p2p-store)
  • Python Wheel (mooncake-wheel)
  • Common (mooncake-common)
  • Mooncake RL (mooncake-rl)
  • CI/CD
  • Docs
  • Other

Type of Change

  • Bug fix
  • New feature
  • Refactor
  • Breaking change
  • Documentation update
  • Performance improvement
  • Other

How Has This Been Tested?

Test commands:

git diff --check
cmake -S . -B build-store-test -DBUILD_UNIT_TESTS=ON -DWITH_STORE=ON -DWITH_TE=ON -DWITH_STORE_RUST=OFF -DWITH_EP=OFF -DUSE_CUDA=OFF -DUSE_ETCD=OFF -DSTORE_USE_ETCD=OFF -DSTORE_USE_REDIS=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo

Test results:

  • Unit tests pass
  • Integration tests pass (if applicable)
  • Manual testing done (describe below)

git diff --check passed. The focused CMake configure was attempted in local WSL, but this machine is missing the yaml-cpp development package, so the local build/test target could not be configured here.

Checklist

  • I have performed a self-review of my own code
  • I have formatted my code using ./scripts/code_format.sh
  • I have run pre-commit run --all-files and all hooks pass
  • I have updated the documentation (if applicable)
  • I have added tests to prove my changes are effective
  • For changes >500 LOC: I have filed an RFC issue

./scripts/code_format.sh / pre-commit were not run locally because the Windows checkout exposes the shell script with CRLF line endings in WSL and pre-commit is not installed in this environment.

AI Assistance Disclosure

  • No AI tools were used
  • AI tools were used (specify below)

Used ChatGPT Codex to inspect the deserialization path, implement the small guard and regression test, and draft this PR description. The submitter is responsible for reviewing and defending the change.

Reject malformed client_id values while deserializing object metadata so corrupted snapshot entries are not restored with an invalid UUID.

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds validation for the client ID UUID during metadata deserialization in MasterService, returning a serialization error if the conversion fails. It also introduces a unit test to verify this behavior and refactors the test utilities to support payloads with invalid client ID strings. There are no review comments, so I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

VectorPeak and others added 3 commits July 18, 2026 21:42
Apply the format expected by the repository clang-format check.

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Use clang-format 20.1.8 output for the invalid metadata client ID regression test.

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
Pack the invalid client_id regression test payload with the numeric shard key shape expected by MetadataSerializer::Deserialize().

Co-authored-by: chatgpt-codex-connector[bot] <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>
@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants