Skip to content

Commit

Permalink
hagrid: don't panic on short token size
Browse files Browse the repository at this point in the history
  • Loading branch information
@Valodim
Valodim committed Dec 28, 2023
1 parent 1d1eedc commit d11de8a
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 7 deletions.
23 changes: 19 additions & 4 deletions src/sealed_state.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,13 @@ impl SealedState {
}
}

pub fn unseal(&self, mut data: Vec<u8>) -> Result<String, &'static str> {
let (nonce, sealed) = data.split_at_mut(NONCE_LEN);
let unsealed = open_in_place(&self.opening_key, nonce, &[], 0, sealed)
pub fn unseal(&self, data: &[u8]) -> Result<String, &'static str> {
if data.len() < NONCE_LEN {
return Err("invalid sealed value: too short");
}
let (nonce, sealed) = data.split_at(NONCE_LEN);
let mut sealed_copy = sealed.to_vec();
let unsealed = open_in_place(&self.opening_key, nonce, &[], 0, &mut sealed_copy)
.map_err(|_| "invalid key/nonce/value: bad seal")?;

::std::str::from_utf8(unsealed)
Expand Down Expand Up @@ -67,8 +71,19 @@ mod tests {
let sv = SealedState::new("swag");

let sealed = sv.seal("test");
let unsealed = sv.unseal(sealed).unwrap();
let unsealed = sv.unseal(sealed.as_slice()).unwrap();

assert_eq!("test", unsealed);
}

#[test]
fn too_short() {
let sv = SealedState::new("swag");

let sealed = sv.seal("test");
let sealed_short = &sealed[0..8];
let unsealed_error = sv.unseal(sealed_short);

assert_eq!(Err("invalid sealed value: too short"), unsealed_error);
}
}
6 changes: 3 additions & 3 deletions src/tokens.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,11 @@ impl Service {
T: StatelessSerializable,
{
let token_sealed = base64::decode_config(&token_encoded, base64::URL_SAFE_NO_PAD)
.map_err(|_| anyhow!("invalid b64"))?;
.map_err(|_| anyhow!("Invalid base64. Did you follow a correct link?"))?;
let token_str = self
.sealed_state
.unseal(token_sealed)
.map_err(|_| anyhow!("failed to validate"))?;
.unseal(token_sealed.as_slice())
.map_err(|_| anyhow!("Failed to validate. Did you follow a correct link?"))?;
let token: Token =
serde_json::from_str(&token_str).map_err(|_| anyhow!("failed to deserialize"))?;

Expand Down

0 comments on commit d11de8a

Please sign in to comment.