Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement encoding.TextUnmarshaler in Digest #101

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

mtrmac
Copy link

@mtrmac mtrmac commented May 9, 2024

... to ensure invalid values are rejected.

Otherwise Go would allow setting a Digest value to arbitrary strings, causing a later panic or other misuse if users forget to call Validate(). (e.g. containers/image#2403 , CVE-2024-3727 .)

I don’t think adding this validation should break correct programs, although it can’t quite be ruled out. I did observe this breaking unit tests which were using unrealistic invalid Digest values.

... to ensure invalid values are rejected.

Otherwise Go would allow setting a Digest value to arbitrary strings,
causing a later panic or other misuse if users forget to call Validate().

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Copy link
Contributor

@stevvooe stevvooe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I'd like to get another opinion on this, as it can create bugs in other systems that delay validation after serialization.

@tianon
Copy link
Member

tianon commented May 9, 2024

This is definitely a breaking change, right? It's going to be hard to quantify exactly how widespread the breakage is, but it doesn't seem terribly unusual IMO for a project to have used this Digest type in a JSON context and round tripping string values that are not technically valid (since to actually use the value, you have to either explicitly validate it or suffer a panic).

@thaJeztah
Copy link
Member

Yes, this is a tricky one; I wonder if this code could be used in situations where the consumer doesn't actually need it to be valid (I guess that's roughly what @tianon describes above, but in better words).

Also not gonna lie that this module has quite some potential footguns, and I cursed a few times when we had code that didn't validate, and panicked after it turned out that code depended on <some other random package> that happened to be importing crypto/sha256.

I wonder if we can make overall use less error-prone, but this very likely would require a "v2".

@mtrmac
Copy link
Author

mtrmac commented May 10, 2024

An alternative implementation could use just a DigestRegexpAnchored match, to also allow unknown digest algorithms. In theory, that would be more compatible if the deployed algorithms changed over time.

As for users who store completely invalid strings while marshaling/unmarshaling digest.Digest values, I don’t see how that makes sense, and I don’t think it should be encouraged, but I can’t quite rule out that somebody somewhere is doing that in production.

}

value, err := Parse(string(text))
if err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could ignore ErrDigestUnsupported here

@tianon
Copy link
Member

tianon commented May 10, 2024

An example invalid string I've personally stored and seen in these many times is the empty string, and I think that one is probably pretty common (although I don't know if it's also common to marshal that to/from JSON), but that case is already covered here. 😅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants