Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reject unknown fields in TxDecoder and sign mode handlers #6883

Merged
merged 17 commits into from
Aug 3, 2020

Conversation

aaronc
Copy link
Member

@aaronc aaronc commented Jul 29, 2020

This should wrap up or almost wrap up the critical path of #6213.

  • integrates unknown field rejection into the protobuf TxDecoder, rejecting:
    • any unknown fields in TxRaw
    • non-critical unknown fields in TxBody
    • any unknown fields in AuthInfo
  • fixes Address SIGN_MODE_LEGACY_AMINO_JSON security issues #6863 by:
    • separating the StdTx and proto Tx amino JSON sign mode handling
    • rejecting non-critical unknown fields in the proto TxBody
    • rejecting proto extensions and non_critical_extensions fields
    • rejecting timeout_height which isn't supported in StdTx
  • adds a boolean return parameter to RejectUnknownFields to track if non-critical fields are present in a message
  • fixes critical bugs related to field decoding in RejectUnknownFields (cc @odeke-em)

Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

  • Targeted PR against correct branch (see CONTRIBUTING.md)
  • Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
  • Code follows the module structure standards.
  • Wrote unit and integration tests
  • Updated relevant documentation (docs/) or specification (x/<module>/spec/)
  • Added relevant godoc comments.
  • Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
  • Re-reviewed Files changed in the Github PR explorer
  • Review Codecov Report in the comment section below once CI passes

@aaronc aaronc changed the title WIP on unknown field rejection in TxDecoder Reject unknown fields in TxDecoder and sign mode handlers Jul 29, 2020
@codecov
Copy link

codecov bot commented Jul 29, 2020

Codecov Report

Merging #6883 into master will increase coverage by 3.46%.
The diff coverage is 82.66%.

@@            Coverage Diff             @@
##           master    #6883      +/-   ##
==========================================
+ Coverage   61.57%   65.04%   +3.46%     
==========================================
  Files         518      389     -129     
  Lines       31996    24253    -7743     
==========================================
- Hits        19703    15775    -3928     
+ Misses      10716     7271    -3445     
+ Partials     1577     1207     -370     

@aaronc aaronc mentioned this pull request Jul 30, 2020
27 tasks
@aaronc aaronc requested a review from odeke-em July 30, 2020 22:39
@aaronc aaronc marked this pull request as ready for review July 30, 2020 22:40
@aaronc aaronc requested review from amaury1093 and anilcse July 30, 2020 22:40
Copy link
Collaborator

@odeke-em odeke-em left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this change @aaronc and for wiring things up! I have left some questions and suggestions, but also I still don't get why the boolean, when the error could be checked.

codec/unknownproto/doc.go Outdated Show resolved Hide resolved
codec/unknownproto/unknown_fields.go Show resolved Hide resolved
codec/unknownproto/unknown_fields.go Show resolved Hide resolved
codec/unknownproto/unknown_fields.go Show resolved Hide resolved
codec/unknownproto/unknown_fields.go Outdated Show resolved Hide resolved
x/auth/tx/direct.go Show resolved Hide resolved
x/auth/tx/legacy_amino_json.go Show resolved Hide resolved
@aaronc
Copy link
Member Author

aaronc commented Jul 30, 2020

Thank you for this change @aaronc and for wiring things up! I have left some questions and suggestions, but also I still don't get why the boolean, when the error could be checked.

There is a case where we want to know if there are non-critical fields without returning an error.

@odeke-em
Copy link
Collaborator

There is a case where we want to know if there are non-critical fields without returning an error.

Oh okay, so an explicit customization, gotcha! Thanks for answering my question.

Copy link
Collaborator

@odeke-em odeke-em left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To ensure that you aren't blocked @aaronc when you get back this, from the protoc-side LGTM with just the change to avoid the allocation and revert to (*types.Any)(nil). Thank you and great to see this all come alive!

@amaury1093 amaury1093 self-assigned this Aug 3, 2020
Copy link
Collaborator

@anilcse anilcse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

codec/unknownproto/unknown_fields.go Show resolved Hide resolved
@aaronc aaronc added the A:automerge Automatically merge PR once all prerequisites pass. label Aug 3, 2020
@mergify mergify bot merged commit 6d93744 into master Aug 3, 2020
@mergify mergify bot deleted the aaronc/6192-unknown-field-rejection branch August 3, 2020 19:47
Comment on lines +48 to +51
if body.TimeoutHeight != 0 {
return nil, sdkerrors.Wrap(sdkerrors.ErrInvalidRequest,
"SIGN_MODE_LEGACY_AMINO_JSON does not support timeout height.")
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alexanderbez note that TimeoutHeight is being now rejected by SIGN_MODE_LEGACY_AMINO_JSON (because otherwise it's a malleability issue) so if you are adding it to StdTx in #6089, you'll need to remove these lines.

Copy link
Contributor

@alexanderbez alexanderbez Aug 3, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing that out!

larry0x pushed a commit to larry0x/cosmos-sdk that referenced this pull request May 22, 2023
* WIP on unknown field rejection in TxDecoder

* WIP on unknown field rejection in TxDecoder

* WIP

* WIP

* WIP

* WIP

* Fix bugs with RejectUnknownFields

* Fix tests

* Fix bug and update docs

* Lint

* Add tests

* Add unknown field tests

* Lint

* Address review comments
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A:automerge Automatically merge PR once all prerequisites pass. C:Encoding C:x/auth T: Security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Address SIGN_MODE_LEGACY_AMINO_JSON security issues
5 participants