-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure critical header contains valid labels #78
Conversation
Signed-off-by: qmuntal <[email protected]>
Signed-off-by: qmuntal <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Question: this seems scoped to the decoding of protected headers. Should there be a similar check for the unprotected blob?
The critical parameters must be placed in the protected header, so the check does not apply to the unprotected header. |
Right, so if we want to be compliant with the COSE spec, shouldn't we also enforce the check on the unprotected headers map? ( Apologies in advance if this is a stupid question, I'm context-switching from something completely different and I may be slightly confused :-) ) |
Not stupid at all. I'll let @shizhMSFT and @yogeshbdeshpande decide, as I might also be missing some context. The spec says:
This seems to imply that the unprotected header can't contain the |
Reviewing now: let me check and comment! |
True dat. What I was referencing is the other bit of the spec that says that it's an error to have labels that aren't |
The only other use of labels are header map keys, and we are already checking those are either integers or strings in |
Understanding the thread and checking: There are two points of checking here, if I understand correctly.
I think, 2 does seem to be a valid check and we should address it. However ValidateHeaderLable used in both Marshal and UnMarshal so it is fine. My take. |
Isn't that scoped to the decoding side only? If not, ignore me :-) , otherwise this bit of the spec may apply:
in paricular, the |
Signed-off-by: qmuntal <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
case uint64: | ||
label = int64(v) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we intercept the potential overflow here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll rather do it in another PR. This is clearly an issue but requires its own discussion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. #79 for tracking this.
Scratch that, I was talking rubbish. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚢 it!
Issue found by Trail of Bits during security review.
A protected header parameter containing a non-comparable element type, such a slice or a map, will produce a runtime panic while being encoded and decoded.
This is because the element is being used as map key to validate there are no missing critical headers, but non-comparable types can't be used as map keys, as per the Go spec.
Investigating this issue, I found we are missing to validate that the critical header array only contains valid labels (RFC 8152 Section 3.1), which are restricted to integers and strings (RFC 8152 Section 1.2).
This PR adds a new validation step which ensures that the elements of the critical header are valid labels when encoding and decoding a protected header.
By doing that we also fix the original issue, as integers and strings are always comparable.
@yogeshbdeshpande @shizhMSFT @thomas-fossati
Signed-off-by: qmuntal [email protected]