You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
The current Rust implementation leverages Serde for serialization. Serde will deny any attempt to serialize characters that are not supported by the JSON specification: https://github.com/serde-rs/json/blob/master/src/read.rs#L787. This is great data validation on Serde's part, but it inhibits this tool's ability to conduct certain tests. In order to emulate attacker behavior, a workflow needs to be established where this tool can create malicious manifests with those special characters.
This issue could be solved a number of ways. One approach would be to manipulate manifests after their creation but prior to the signature being applied. This approach may have the advantage of allowing more types of manipulation beyond just this issue. Another option could be to use a serialization library that doesn't include this validation step. This bug is to track the high-level requirement to solve this problem.
Expected result:
This tool should be able to generate manifests with any character injected into it.
Actual result:
This tool is currently limited by an allow list implementation with the serialization library.
The text was updated successfully, but these errors were encountered:
Version: Initial Release
Description:
The current Rust implementation leverages Serde for serialization. Serde will deny any attempt to serialize characters that are not supported by the JSON specification: https://github.com/serde-rs/json/blob/master/src/read.rs#L787. This is great data validation on Serde's part, but it inhibits this tool's ability to conduct certain tests. In order to emulate attacker behavior, a workflow needs to be established where this tool can create malicious manifests with those special characters.
This issue could be solved a number of ways. One approach would be to manipulate manifests after their creation but prior to the signature being applied. This approach may have the advantage of allowing more types of manipulation beyond just this issue. Another option could be to use a serialization library that doesn't include this validation step. This bug is to track the high-level requirement to solve this problem.
Expected result:
This tool should be able to generate manifests with any character injected into it.
Actual result:
This tool is currently limited by an allow list implementation with the serialization library.
The text was updated successfully, but these errors were encountered: