-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug in signature validation renders Cipher unusable #22
Comments
Fl4m3Ph03n1x
changed the title
Bug in validate_plug.ex renders cipher unusable
Bug in signature validation renders Cipher unusable
Nov 23, 2018
We do. 😁 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Background
Our team was using cypher to create URL signatures in the client and validate them via a the Plug in the server.
Issue
However, even though we were using the
test_mode
flag set to true with the callback function to log errors, Cipher was still crashing and killing the server process.Yes, the signatures were faulty, but the expected behaviour would be to Log the error instead of crashing the process.
RCA
After lengthy analysis I concluded that the bug is located in
cipher/validate_plug.ex
, namely in the following code snippet:The issue here is that this
case
clause is missing pattern matches, which causes it to throw an exception.How could this be?
This is where things get tricky. Cipher is tightly coupled to a JSON parsing library, called Poison.
Cipher says in the
mix.exs
file that it supports several Poison versions. In fact it says it supports incompatible Poison versions.{:poison, "~> 2.0 or ~> 3.0"}
These versions have incompatible APIs between them when reporting errors, so the code that pattern matches an error expression from Poison v2 does not match one from Poison v3. Not only that, but Poison v3 has known bugs in the error reporting API that cause errors to have different formats.
Poison v4 solved some of the issues, but the API breaks backwards compatibility.
And now comes the crux of the issue. Cipher's code and tests do not take into account all the different Poison versions, nor the specific bugs encountered in each version.
Possible solution
A possible solution would be to remake Cipher to use Poison v4, or Jason ( or preferably, to have a behaviour that would allow plugins that use different JSON parsers ) but that would take a tremendous effort that when taking in consideration other Cipher weaknesses ( such as the low security for the generated signatures ) would not be worth it.
We instead recommend you use an alternative to Cipher.
The text was updated successfully, but these errors were encountered: