Following the examples, our app uses verify_registration(response, challenge) with untrusted inputs for response.
In production, we've seen users submit data such as this:
{"id":"...","rawId":"...","response":{"clientDataJSON":{},"attestationObject":{}},"authenticatorAttachment":"platform","clientExtensionsResults":{},"type":"public-key"}
While this is obviously invalid, the library attempted to decrypt {} as an attestationObject, failing with undefined method 'end_with?' for an instance of Hash. This caused a 500 inside critical code.
After reviewing the chain that leads to the Base64UrlEncoder.decrypt call I'm not clear on where the responsibility for sanitising user inputs should be. Is it expected that library callers check that the response conforms to an expected shape?
Following the examples, our app uses
verify_registration(response, challenge)with untrusted inputs forresponse.In production, we've seen users submit data such as this:
While this is obviously invalid, the library attempted to decrypt
{}as anattestationObject, failing withundefined method 'end_with?' for an instance of Hash. This caused a 500 inside critical code.After reviewing the chain that leads to the
Base64UrlEncoder.decryptcall I'm not clear on where the responsibility for sanitising user inputs should be. Is it expected that library callers check that the response conforms to an expected shape?