Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assert when value is not a string #177

Closed
hueniverse opened this issue Jan 19, 2016 · 5 comments
Closed

Assert when value is not a string #177

hueniverse opened this issue Jan 19, 2016 · 5 comments
Labels
Milestone

Comments

@ChALkeR

This comment has been minimized.

Copy link

@ChALkeR ChALkeR commented Jan 19, 2016

@hueniverse I sent this privately for a reason. Why are you making this public before the fix is released?

@hueniverse

This comment has been minimized.

Copy link
Member Author

@hueniverse hueniverse commented Jan 19, 2016

Because it is not really an active threat. It is not an issue in hoek. Passing a number to the encode/decode function is an invalid argument.

@ChALkeR

This comment has been minimized.

Copy link

@ChALkeR ChALkeR commented Jan 19, 2016

@hueniverse That's not how stuff works. Please see all the previous discussions and https://nodesecurity.io/advisories/67.

Any setup that accepts typed input (e.g. JSON, but there are other examples), fails to validate is (exactly as you failed to validate it), and passes it do your function is vulnerable.

@ChALkeR

This comment has been minimized.

Copy link

@ChALkeR ChALkeR commented Jan 19, 2016

Also, I doubt that your users expect the hoek.base64urlEncode(value) method to silently leak uninitialized memory without any errors on any input, and I doubt that it could be called «not an issue».

@hueniverse

This comment has been minimized.

Copy link
Member Author

@hueniverse hueniverse commented Jan 19, 2016

hoek is an internal module for hapi use cases. This is not a problem based on how it is used by hapi. That is the extent of my interest here. If you are going to pass wrong values into a method, you will get crap. As a lead maintainer of this organization I made a judgement call and decided that at this level, this is not an exploit that requires notice and publishing a solution. For example, once this is fixed, I am not going to rush publishing a new version of any other hapi module using this.

nlf added a commit that referenced this issue Apr 25, 2016
Fix for issue #177
@nlf nlf modified the milestone: 4.0.0 Apr 25, 2016
@nlf nlf closed this Apr 25, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.