fix: check the credential id length att data (#16)

This checks the credential id length based on the spec. See https://w3c.github.io/webauthn/#attested-credential-data.
go-webauthn · Mar 1, 2022 · b3b93ac · b3b93ac
1 parent 729227d
commit b3b93ac
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/protocol/authenticator.go b/protocol/authenticator.go
@@ -8,9 +8,10 @@ import (
  "github.com/go-webauthn/webauthn/protocol/webauthncbor"
 )
 
-var (
+const (
  minAuthDataLength = 37
  minAttestedAuthLength = 55
+ maxCredentialIDLength = 1023
 )
 
 // Authenticators respond to Relying Party requests by returning an object derived from the
@@ -218,6 +219,10 @@ func (a *AuthenticatorData) unmarshalAttestedData(rawAuthData []byte) (err error
  return ErrBadRequest.WithDetails("Authenticator attestation data length too short")
  }
 
+ if idLength > maxCredentialIDLength {
+ return ErrBadRequest.WithDetails("Authenticator attestation data credential id length too long")
+ }
+
  a.AttData.CredentialID = rawAuthData[55 : 55+idLength]
 
  a.AttData.CredentialPublicKey, err = unmarshalCredentialPublicKey(rawAuthData[55+idLength:])