Security tests over "fuzzed" inputs? #4
Comments
|
As of right now the program just tries to decode it with the given schema and if it doesn't "fit", it'll most likely just crash because it will try to read past the buffer. This was by design because I wanted my program to crash if I was sending invalid messages that didn't match the schema I wanted to find out instantly so I could fix it. However, if the buffer is longer than what the schema expects or the user supplies matching byte count types (like uint instead of int), the resulting object could have invalid data in it. I was toying with the idea of having a "validation" flag that you could optionally set to compile in checks to validate/test everything to isolate all these kinds of potential issues, but haven't quite figured out how I'd like to do it or if there was going to be any demand for that feature/this library. Let me know if you have any ideas/preferences! |
|
Added support for validation of encoded objects. |
It's very important to make security tests over "fuzzed" inputs. What happens if the serialized input is corrupted?
I think it's probable that a big proportion of the performance gains over other serialization libraries is related to lack of security checks.
The text was updated successfully, but these errors were encountered: