fix: check the credential id length att data (#16)

This checks the credential id length based on the spec. See https://w3c.github.io/webauthn/#attested-credential-data.
go-webauthn · james-d-elliott · Mar 1, 2022 · Mar 1, 2022 · Mar 1, 2022 · Mar 1, 2022
commit 35287ea54b50b1f553f3cc0f0f5527039f375e2c
diff --git a/protocol/authenticator.go b/protocol/authenticator.go
@@ -8,9 +8,10 @@ import (
  "github.com/go-webauthn/webauthn/protocol/webauthncbor"
 )
 
-var (
+const (
  minAuthDataLength = 37
  minAttestedAuthLength = 55
+ maxCredentialIDLength = 1023
 )
 
 // Authenticators respond to Relying Party requests by returning an object derived from the
@@ -203,6 +204,10 @@ func (a *AuthenticatorData) unmarshalAttestedData(rawAuthData []byte) (err error
  return ErrBadRequest.WithDetails("Authenticator attestation data length too short")
  }
 
+ if idLength > maxCredentialIDLength {
+ return ErrBadRequest.WithDetails("Authenticator attestation data credential id length too long")
+ }
+
  a.AttData.CredentialID = rawAuthData[55 : 55+idLength]
 
  a.AttData.CredentialPublicKey, err = unmarshalCredentialPublicKey(rawAuthData[55+idLength:])