Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate client data json unmarshalling #4

Open
tarrencev opened this issue Aug 29, 2022 · 0 comments
Open

Validate client data json unmarshalling #4

tarrencev opened this issue Aug 29, 2022 · 0 comments
Labels
help wanted Extra attention is needed question Further information is requested

Comments

@tarrencev
Copy link
Contributor

In order to provide a more efficient onchain webauthn credential verification implementation, we do not implement / leverage a generalized json unmarshaller. Instead, the client should provide "hints" that the contract can use to parse the payload. These hints consist of word + byte offsets in the client data json payload which the implementation then uses to naively verify the payload.

Given the constraints on the payloads content, I believe this is secure. However, further research + validation is necessary to ensure a nested json blob with malicious inputs can't be embedded in the client json payload.

@tarrencev tarrencev added help wanted Extra attention is needed question Further information is requested labels Aug 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed question Further information is requested
Projects
None yet
Development

No branches or pull requests

1 participant