[postcard-schema] Key hash calculation could suffer collision if path and schema alias #217
Comments
|
One proposed fix for this is adding a value to be hashed between the two, ideally something that is NEITHER valid utf-8 NOR a valid schema item. We could potentially hash a fragment that is invalid utf-8, and also not a valid schema prime identifier. |
|
Another mitigation could be to length-prefix the path |
|
Oh that's a good call. I also meant to make a note that we accept an empty path string, which probably isn't great for some reason I can't think of right now. |
|
Length-prefixing seems like a good solution.
I'll note that I use empty paths |
|
One thing to note about length prefixing: we might need to pick a max length (e.g. |
I'd like to go with using varint encoding for length prefixing. Fixed length can waste space for small values (e.g., u32 uses 4 bytes to store "testing" despite its 7-byte length). |
|
@thaodt this is for the key hashing, so we wouldn't store this anywhere. It would just be fed into the hasher. TYPICALLY this would only be done at a compile time anyway. The issue is: we need all systems to agree on the input to the hashing process, so for the length of "testing", that could either be In all cases, the output hash will be the same size, and that is what is stored. It's just about how many bytes we feed into the hasher. |
Described in jamesmunns/postcard-spec-ng#1 (comment),
Since some of the schema primes fall in the ascii range (and really, many other values could fall in the utf-8 range), it could be possible to get a collision between two Keys, for example since
b'e'is the prime used forbytearray, the following two would alias:We should consider this to the next breaking change in
postcard-schemaandpostcard-rpc.Right now in
postcard-rpc, this will lead to a compilation failure, as it would detect the two keys collide.CC @DavidBuchanan314 who discovered this, and @max-heller for thoughts.
The text was updated successfully, but these errors were encountered: