GODRIVER-3240 Code hardening.#1684
Merged
qingyang-hu merged 6 commits intomongodb:v1from Jun 27, 2024
Merged
Conversation
mongodb-drivers-pr-bot
Bot
added
the
review-priority-low
Contributor
API Change ReportNo changes found! |
matthewdale
requested changes
Jun 25, 2024
Comment on lines
+99
to
+106
| i, err := strconv.ParseUint(val.v.(string), 16, 64) | ||
| if err != nil { | ||
| return nil, 0, fmt.Errorf("invalid $binary subType string: %s", val.v.(string)) | ||
| } | ||
|
|
||
| subType = byte(i) | ||
| b := []byte{0, 0, 0, 0, 0, 0, 0, 0} | ||
| binary.LittleEndian.PutUint64(b, i) | ||
| subType = b[0] |
Contributor
There was a problem hiding this comment.
We can use ParseUint to limit the range of the parsed subtype value by using bitSize=8. I also recommend adding the parse error to returned error.
E.g.
i, err := strconv.ParseUint(val.v.(string), 16, 8)
if err != nil {
return nil, 0, fmt.Errorf("invalid $binary subType string %q: %w", val.v.(string), err)
}
subType = byte(i)
qingyang-hu
force-pushed
the
godriver3240
branch
from
4626635 to
27f5ac7
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
qingyang-hu
force-pushed
the
godriver3240
branch
2 times, most recently
from
c34137f to
dfd8a33
Compare
qingyang-hu
force-pushed
the
godriver3240
branch
from
dfd8a33 to
0fb85cf
Compare
qingyang-hu
changed the title
blink1073
added
review-priority-urgent
matthewdale
requested changes
Jun 26, 2024
Comment on lines
+104
to
+106
| b := []byte{0, 0, 0, 0, 0, 0, 0, 0} | ||
| binary.LittleEndian.PutUint64(b, i) | ||
| subType = b[0] |
Contributor
There was a problem hiding this comment.
Since we already apply the bounds check in the ParseUint call, it should be safe to assume that i is in the range [0, 255]. In that case, we can keep the existing uint64 -> byte conversion.
Suggested change
| b := []byte{0, 0, 0, 0, 0, 0, 0, 0} | |
| binary.LittleEndian.PutUint64(b, i) | |
| subType = b[0] | |
| subType = byte(i) |
Comment on lines
+1181
to
+1190
| dataSize := len(keyData) | ||
| certSize := len(certData) | ||
| if math.MaxInt-dataSize < certSize { | ||
| return "", errors.New("size overflow") | ||
| } | ||
| dataSize += certSize | ||
| if math.MaxInt-dataSize < 1 { | ||
| return "", errors.New("size overflow") | ||
| } | ||
| dataSize++ |
Contributor
There was a problem hiding this comment.
We can simplify the logic here by adding some additional data size validation. AFAIK there's no case where an X.509 key and cert should be anywhere near 64MiB, so we can avoid the integer overflow and check for reasonable data size at the same time.
Suggested change
| dataSize := len(keyData) | |
| certSize := len(certData) | |
| if math.MaxInt-dataSize < certSize { | |
| return "", errors.New("size overflow") | |
| } | |
| dataSize += certSize | |
| if math.MaxInt-dataSize < 1 { | |
| return "", errors.New("size overflow") | |
| } | |
| dataSize++ | |
| keySize := len(keyData) | |
| if keySize > 64*1024*1024 { | |
| return "", errors.New("X.509 key must be less than 64 MiB") | |
| } | |
| certSize := len(certData) | |
| if certSize > 64*1024*1024 { | |
| return "", errors.New("X.509 certificate must be less than 64 MiB") | |
| } | |
| data := make([]byte, 0, keySize+certSize+1) |
| case reflect.Uint: | ||
| if i64 < 0 || int64(uint(i64)) != i64 { // Can we fit this inside of an uint | ||
| if i64 < 0 { | ||
| return emptyValue, fmt.Errorf("%d overflows uint", i64) |
Contributor
There was a problem hiding this comment.
Use a more accurate error message.
Suggested change
| return emptyValue, fmt.Errorf("%d overflows uint", i64) | |
| return emptyValue, fmt.Errorf("%d underflows uint", i64) |
Contributor
Author
There was a problem hiding this comment.
It seems better to keep the error message consistent with other unsigned types.
Contributor
There was a problem hiding this comment.
Sounds reasonable. We can fix them all at the same time. Consider this comment resolved.
qingyang-hu
commented
Jun 27, 2024
| return "", errors.New("X.509 certificate must be less than 64 MiB") | ||
| } | ||
| dataSize := keySize + certSize + 1 | ||
| if dataSize > math.MaxInt { |
Contributor
Author
There was a problem hiding this comment.
An additional fail-safe check.
Member
|
The |
This was referenced Mar 4, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GODRIVER-3240
Summary
Background & Motivation