Tighten key parser to not accept keys containing a non-numeric fields, which could be used to embed data useful for a SHA1 attack against git.

Also todo about why this is important, and with some further hardening to
add.

This commit was sponsored by Ignacio on Patreon.
This commit is contained in:
Joey Hess 2017-02-24 00:17:25 -04:00
parent 0dec2257f0
commit 60d99a80a6
No known key found for this signature in database
GPG key ID: C910D9222512E3C7
3 changed files with 51 additions and 1 deletions

View file

@ -22,6 +22,7 @@ module Types.Key (
import System.Posix.Types
import Data.Aeson
import Data.Char
import qualified Data.Text as T
import Common
@ -108,6 +109,16 @@ file2key s
findfields _ v = v
addbackend k v = Just k { keyBackendName = v }
-- This is a strict parser for security reasons; a key
-- can contain only 4 fields, which all consist only of numbers.
-- Any key containing other fields, or non-numeric data is
-- rejected with Nothing.
--
-- If a key contained non-numeric fields, they could be used to
-- embed data used in a SHA1 collision attack, which would be a
-- problem since the keys are committed to git.
addfield _ _ v | not (all isDigit v) = Nothing
addfield 's' k v = do
sz <- readish v
return $ k { keySize = Just sz }
@ -120,7 +131,7 @@ file2key s
addfield 'C' k v = case readish v of
Just chunknum | chunknum > 0 ->
return $ k { keyChunkNum = Just chunknum }
_ -> return k
_ -> Nothing
addfield _ _ _ = Nothing
instance ToJSON Key where