You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Section 3.1 of RFC 8152 defines a number of common COSE header parameters and their associated value types. Applications using the go-cose library may rely on COSE-defined headers decoded by the library to be of a specified type. For example, the COSE specification defines the content-type header to be of type either text string or unsigned integer. The go-cose library currently only validates the alg and crit parameters.
An application using go-cose to verify and validate incoming COSE messages may for example use the content-type header to index a map, expecting the content type to be a valid string or integer. If that assumption is violated, a malicious message may cause a panic in the receiver.
The lack of validation also allows users to serialize messages that will be rejected by other conforming COSE libraries - for example https://github.com/laurencelundblade/t_cose rejects messages with incorrect header types.
The implementation should validate common header types, and/or clearly document which headers are validated.
The text was updated successfully, but these errors were encountered:
Section 3.1 of RFC 8152 defines a number of common COSE header parameters and their associated value types. Applications using the go-cose library may rely on COSE-defined headers decoded by the library to be of a specified type. For example, the COSE specification defines the content-type header to be of type either text string or unsigned integer. The go-cose library currently only validates the alg and crit parameters.
An application using go-cose to verify and validate incoming COSE messages may for example use the content-type header to index a map, expecting the content type to be a valid string or integer. If that assumption is violated, a malicious message may cause a panic in the receiver.
The lack of validation also allows users to serialize messages that will be rejected by other conforming COSE libraries - for example https://github.com/laurencelundblade/t_cose rejects messages with incorrect header types.
The implementation should validate common header types, and/or clearly document which headers are validated.
The text was updated successfully, but these errors were encountered: