Merge pull request from GHSA-ch3c-v47x-4pgp

Reject cleartext messages with extraneous data preceeding hash header
openpgpjs · Aug 29, 2023 · 6b43e02 · 6b43e02
2 parents 4df86e5 + 11b5999
commit 6b43e02
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/src/cleartext.js b/src/cleartext.js
@@ -174,7 +174,7 @@ function verifyHeaders(headers, packetlist) {
   let oneHeader = null;
   let hashAlgos = [];
   headers.forEach(function(header) {
-    oneHeader = header.match(/Hash: (.+)/); // get header value
+    oneHeader = header.match(/^Hash: (.+)$/); // get header value
     if (oneHeader) {
       oneHeader = oneHeader[1].replace(/\s/g, ''); // remove whitespace
       oneHeader = oneHeader.split(',');

diff --git a/test/general/signature.js b/test/general/signature.js
@@ -999,6 +999,32 @@ eSvSZutLuKKbidSYMLhWROPlwKc2GU2ws6PrLZAyCAel/lU=
     expect(await sigInfo.verified).to.be.true;
   });
 
+  it('Reject cleartext message with arbitrary text added around hash headers (spoofed cleartext message)', async function() {
+    await expect(openpgp.readCleartextMessage({ cleartextMessage: `-----BEGIN PGP SIGNED MESSAGE-----
+This is not signed but you might think it is Hash: SHA512
+
+This is signed
+-----BEGIN PGP SIGNATURE-----
+
+wnUEARYKACcFgmTsqxgJkEhlqJkkhIfRFiEEUA/OS4xZ3EwNC5l8SGWomSSE
+h9EAALyPAQDDR0IYwq/5XMVSYPWojBamM4NhcP5arA656ALIq9cJYAEAlw0H
+Fk7EflUZzngwY4lBzYAfnNBjEjc30xD/ddo+rwE=
+=O7mt
+-----END PGP SIGNATURE-----` })).to.be.rejectedWith(/Only "Hash" header allowed/);
+
+    await expect(openpgp.readCleartextMessage({ cleartextMessage: `-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512\vThis is not signed but you might think it is 
+
+This is signed
+-----BEGIN PGP SIGNATURE-----
+
+wnUEARYKACcFgmTsqxgJkEhlqJkkhIfRFiEEUA/OS4xZ3EwNC5l8SGWomSSE
+h9EAALyPAQDDR0IYwq/5XMVSYPWojBamM4NhcP5arA656ALIq9cJYAEAlw0H
+Fk7EflUZzngwY4lBzYAfnNBjEjc30xD/ddo+rwE=
+=O7mt
+-----END PGP SIGNATURE-----` })).to.be.rejectedWith(/Unknown hash algorithm in armor header/);
+  });
+
   it('Supports non-human-readable notations', async function() {
     const { packets: [signature] } = await openpgp.readSignature({ armoredSignature: signature_with_non_human_readable_notations });
     // There are no human-readable notations so `notations` property does not