Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cap all computations based on untrusted data #18

Open
6 tasks
GallagherCommaJack opened this issue Sep 9, 2019 · 2 comments
Open
6 tasks

Cap all computations based on untrusted data #18

GallagherCommaJack opened this issue Sep 9, 2019 · 2 comments
Labels
Discussion Proposed implementations, thoughts about current ones. good first issue Good for newcomers security

Comments

@GallagherCommaJack
Copy link
Collaborator

GallagherCommaJack commented Sep 9, 2019

for example:

  • limit number of kdf iterations for out of order message delivery
  • limit max message size
  • patch serde_cbor to limit maximum memory allocation

I'm not sure how best to pick these limits, so for now I'm going to leave TODO's in the code that reference this issue.

(probably partial) list of places in the code where this needs to be fixed:

  • read_cbor
  • send_cbor
  • serde_cbor internals?
  • unsent message storage
  • registration loop
  • login loop
@GallagherCommaJack GallagherCommaJack added Discussion Proposed implementations, thoughts about current ones. security good first issue Good for newcomers labels Sep 9, 2019
@GallagherCommaJack
Copy link
Collaborator Author

tagged as good first issue because I think it's not too hard but will end up giving a pretty thorough tour of the codebase

@mobile-bungalow
Copy link
Collaborator

mobile-bungalow commented Sep 19, 2019

  • read_cbor
  • send_cbor
  • unsent message storage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Discussion Proposed implementations, thoughts about current ones. good first issue Good for newcomers security
Projects
None yet
Development

No branches or pull requests

2 participants