Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement encoding.TextUnmarshaler in Digest #101

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Implement encoding.TextUnmarshaler in Digest #101

wants to merge 1 commit into from

Conversation

mtrmac
Copy link

@mtrmac mtrmac commented May 9, 2024

... to ensure invalid values are rejected.

Otherwise Go would allow setting a Digest value to arbitrary strings, causing a later panic or other misuse if users forget to call Validate(). (e.g. containers/image#2403 , CVE-2024-3727 .)

I don’t think adding this validation should break correct programs, although it can’t quite be ruled out. I did observe this breaking unit tests which were using unrealistic invalid Digest values.

@mtrmac
Implement encoding.TextUnmarshaler in Digest
765cee4 
... to ensure invalid values are rejected.

Otherwise Go would allow setting a Digest value to arbitrary strings,
causing a later panic or other misuse if users forget to call Validate().

Signed-off-by: Miloslav Trmač <[email protected]>
stevvooe
stevvooe approved these changes May 9, 2024
View reviewed changes
Copy link
Contributor

@stevvooe stevvooe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I'd like to get another opinion on this, as it can create bugs in other systems that delay validation after serialization.

@mtrmac mtrmac mentioned this pull request May 9, 2024
Merged
@tianon
Copy link
Member

tianon commented May 9, 2024

This is definitely a breaking change, right? It's going to be hard to quantify exactly how widespread the breakage is, but it doesn't seem terribly unusual IMO for a project to have used this Digest type in a JSON context and round tripping string values that are not technically valid (since to actually use the value, you have to either explicitly validate it or suffer a panic).

@thaJeztah
Copy link
Member

Yes, this is a tricky one; I wonder if this code could be used in situations where the consumer doesn't actually need it to be valid (I guess that's roughly what @tianon describes above, but in better words).

Also not gonna lie that this module has quite some potential footguns, and I cursed a few times when we had code that didn't validate, and panicked after it turned out that code depended on <some other random package> that happened to be importing crypto/sha256.

I wonder if we can make overall use less error-prone, but this very likely would require a "v2".

@mtrmac
Copy link
Author

mtrmac commented May 10, 2024

An alternative implementation could use just a DigestRegexpAnchored match, to also allow unknown digest algorithms. In theory, that would be more compatible if the deployed algorithms changed over time.

As for users who store completely invalid strings while marshaling/unmarshaling digest.Digest values, I don’t see how that makes sense, and I don’t think it should be encouraged, but I can’t quite rule out that somebody somewhere is doing that in production.

dmcgowan
dmcgowan reviewed May 10, 2024
View reviewed changes
digest.go
}

value, err := Parse(string(text))
if err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could ignore ErrDigestUnsupported here

@tianon
Copy link
Member

tianon commented May 10, 2024

An example invalid string I've personally stored and seen in these many times is the empty string, and I think that one is probably pretty common (although I don't know if it's also common to marshal that to/from JSON), but that case is already covered here. 😅

This was referenced May 28, 2024
Merged
Merged
Merged
Merged
Merged
Merged
@mtrmac mtrmac mentioned this pull request Sep 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmcgowan dmcgowan dmcgowan left review comments

@stevvooe stevvooe stevvooe approved these changes

@AkihiroSuda AkihiroSuda Awaiting requested review from AkihiroSuda AkihiroSuda is a code owner

@thaJeztah thaJeztah Awaiting requested review from thaJeztah thaJeztah is a code owner

@vbatts vbatts Awaiting requested review from vbatts vbatts is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mtrmac @tianon @thaJeztah @stevvooe @dmcgowan