-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trailing extraneous bytes passed to cbor.Unmarshal()
, also it may contain authenticator extension data
#178
Comments
Hey thanks for making contact. I believe I had in mind some more rigorous testing before upgrading (since this dep is pretty important) and time got away from me. It makes sense that this is an important upgrade now that you explain it. I'll merge this and make a release today. |
Hey @james-d-elliott thanks for super fast response! 🙌 You probably already know this, so I'm just being extra cautious. The cbor upgrade to v2.5.0 by itself might cause authentications to fail (as experienced by gravitational/teleport). You may want to replace Thanks again for amazing response time! |
No worries. I was definitely aware there may be issues which is why I was waiting. I did plan to do more thorough testing but I can relatively easily release a fix if any issues are noticed. Thanks for the pointer about cbor.Unmarshal though. I'll do some reading and maybe make a hotfix later today if it makes sense. |
Version
0.8.6
Description
This issue has a public test from August 31, 2023 at gravitational/teleport#31322. I maintain fxamacker/cbor, my apologies for not catching some aspects of this sooner. 🙏
ParseCredentialCreationResponseBody()
is called with data that causes code in webauthncbor.go to eventually pass 91 bytes tocbor.Unmarshal()
.Those 91 bytes represent a CBOR Sequence (RFC 8742) instead of CBOR data item (RFC 8949).
cbor.Unmarshal()
is for parsing a CBOR data item rather than CBOR Sequence (concatenation of CBOR data items).In old versions of cbor library, the extra trailing bytes are ignored by
cbor.Unmarshal()
instead of returning error.For some uses cases, ignoring trailing bytes is undesirable and can create risks. In this test case, the extraneous 14 bytes is a CBOR data item that appears to represent authenticator extension data
{"credProtect": 2}
.Upgrading to fxamacker/cbor v2.5.0 makes it easier to detect and handle extraneous data:
cbor.Unmarshal()
detects trailing bytes and returnsExtraneousDataError
.cbor.UnmarshalFirst()
function was added to explicitly handle extraneous bytes withoutExtraneousDataError
.cbor.DiagnoseFirst()
function was added to return human readable text (Diagnostic Notation) for logging/debugging.If you choose to upgrade to v2.5.0, please see ⭐ Notable Changes to Review Before Upgrading in the release notes.
My apologies again for not catching some of this sooner. Please let me know if I can help make the upgrade go smoothly.
Reproduction
See gravitational/teleport#31322 for test and reproducer.
TestIssue31187_errorParsingAttestationResponse
Reproducer calls
ParseCredentialCreationResponseBody
with data that causes code in webauthncbor.go to eventually pass 91 bytes tocbor.Unmarshal()
.Those 91 bytes represent a CBOR Sequence (RFC 8742) instead of CBOR data item (RFC 8949).
In Diagnostic Notation, first CBOR data item represents:
The 2nd CBOR data item (aka extraneous data in RFC 8949) represents:
Expectations
Detect or prevent extraneous bytes or CBOR Sequence being passed to
cbor.Unmarshal()
.If needed, handle authenticator extension data currently contained in the trailing bytes.
Documentation
No response
The text was updated successfully, but these errors were encountered: