Commit graph

4 commits

Author SHA1 Message Date
Profpatsch
46f908c3c1 docs(users/Profpatsch/netencode): Parser security considerations
Netencode parsers should probably set an upper length limit.

Change-Id: Ibe65f2b59058106b720867a83435bf45660f1adf
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5908
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
2022-07-01 12:37:32 +00:00
Profpatsch
ed68ba6751 feat(users/Profpatsch/netencode): ignore earlier record entries
It turns out that the netencode spec requiring to ignore *later*
entries meant that every parser has to do an extra check for each
element, instead of just overriding the key in the hash map.

This leads to a situation where the simple implementation is the wrong
one, which would lead to very subtle problems in parsers (see also the
infamous “json duplicate record entry” problem which has been used for
various exploits in the past).

To be fair, exploits are still possible, but at least a `Map.fromList`
will be the right implementation (provided it folds from the left) now
instead of the wrong one.

Examples of the trivial implementation being now right:

Python:

    > dict([("foo", 1), ("foo", 2)])
    {'foo': 2}

Rust:

    > println!("{:?}", HashMap::from([
      ("foo", 1),
      ("foo", 2)
    ]));
    {"foo": 2}

Haskell:

    > Data.Map.fromList [ ("foo", 1), ("foo", 2) ]
    fromList [("foo",2)]

Change-Id: Ife9593956f4718e5e720f4f348c227e4f3a71e2d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5108
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
Autosubmit: Profpatsch <mail@profpatsch.de>
2022-02-14 14:12:19 +00:00
Profpatsch
539884f7ad docs(users/Profpatsch/netencode): fix typo
Change-Id: I7edb9027c0a9eb014931033760be5f3d6e734b8a
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3845
Tested-by: BuildkiteCI
Reviewed-by: Profpatsch <mail@profpatsch.de>
2021-11-13 00:57:28 +00:00
Profpatsch
81d5571398 feat(users/Profpatsch/netencode): rename spec -> README
Change-Id: I0afda1c3705b8789cf6a0c57f7b74d005deb4ff5
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2433
Reviewed-by: Profpatsch <mail@profpatsch.de>
Tested-by: BuildkiteCI
2021-01-23 15:37:26 +00:00
Renamed from users/Profpatsch/netencode/spec.md (Browse further)