search

amark / gun

An open source cybersecurity protocol for syncing decentralized graph data.
https://gun.eco/docs
Other
18.05k stars 1.16k forks source link

Nodejs: gun.user().put(data) with escape character causes "Unverified data" #1203

Open kengoldfarb opened 2 years ago

kengoldfarb commented 2 years ago

Observed in: Nodejs v14 Version: gun@0.2020.1235

  1. Authenticate user
  2. Put data that contains a newline or backspace character:
gun
    .user()
    .get('testing')
    .put(
        {
            description: `something something\nother thing`
        },
        ack => console.log(ack.err)
    )

Result in console:

Signature did not match.
Unverified data.

Removing the \n results in data being written

It's also interesting to note that using the same version of gun in browser, I can not reproduce this bug

adding console.log({u, data, packed)) just before this line: https://github.com/amark/gun/blob/852b77f49a10d3105400e7057908eeca30c4b679/sea.js#L1437

{
  u: undefined,
  data: undefined,
  packed: {
    m: {
      '#': '~4u6CF0hDCxli0LwUH_vidDL7PMEeV0Tsr3DLEuq0FEY.8uGPk-HtTjDC7TkbESqIexGSj0pStPoWv2shy-fXzWQ/testing',
      '.': 'description',
      ':': 'something something\\nother thing',
      '>': 1644010910932
    },
    s: '1Kji8apX04sI+2a5kLcvNiUxPeRY8Dc2HNlDMnYydCKjEN5pQkbnALZqaBrQnK5amb9V7Fa/dxRqZQWHBV4DXQ=='
  }
}

With the \n removed I see:

{
  u: undefined,
  data: 'something somethingother thing',
  packed: {
    m: {
      '#': '~4u6CF0hDCxli0LwUH_vidDL7PMEeV0Tsr3DLEuq0FEY.8uGPk-HtTjDC7TkbESqIexGSj0pStPoWv2shy-fXzWQ/testing',
      '.': 'description',
      ':': 'something somethingother thing',
      '>': 1644011104431
    },
    s: 'nS8jV5k8fk3e6BS7Xz8dHIaBgcBJbhARcVTFfKQTYHo3v08hM6IQR/+/ZXxSwCNbyVNRBgtHFRJTN/cidy3SCQ=='
  }
}
kengoldfarb commented 2 years ago

This is fixed in the latest master branch but broken in the latest npm published version

amark commented 2 years ago

@kengoldfarb yeah, sorry this was super embarrassing terrible mistake. I handled \ASCII but didn't notice this.

It gets worse tho, you're right somebody already fixed this, but that library they switched to is breaking on other data 😭 .

We can't do native because it blocks the thread for 0.25s which compounds on multiple requests.

Are you good at knowing what other utf8/etc. escapes/checks need to be handled? I'm scared to republish unless somebody smarter than me can peek at https://github.com/amark/gun/blob/master/test/common.js#L85-L94 .