search

erlef / rebar3_hex

Rebar3 Hex library
Apache License 2.0
101 stars 49 forks source link

rebar3 hex crashes with local passwords over 32 characters in length. #256

Closed dequbed closed 3 years ago

dequbed commented 3 years ago

Specifically, the functions encrypt_write_key and decrypt_write_key call pad (here and here), but pad uses a non-exhaustive case over the length of the input string.

This crashes all tasks that call either of these functions:

$ rebar3 hex user auth
[… output truncated]
Generating all keys...
===> Uncaught error in rebar_core. Run with DIAGNOSTIC=1 to see stacktrace or consult rebar3.crashdump
===> When submitting a bug report, please include the output of `rebar3 report "your command"`

A simple workaround is of course to use only local passwords up to 32 characters in size (passwords for hex.pm are not affected by this problem), but the nondescript error and stacktrace make this limitation not obvious.

The stacktrace from the crash, mainly so that other people hitting this problem have an easier time finding the workaround:

Error: {case_clause,33}
[{rebar3_hex_user,pad,1,
                  [{file,"./_build/default/plugins/rebar3_hex/src/rebar3_hex_user.erl"},
                   {line,196}]},
 {rebar3_hex_user,encrypt_write_key,3,
                  [{file,"./_build/default/plugins/rebar3_hex/src/rebar3_hex_user.erl"},
                   {line,248}]},
 {rebar3_hex_user,generate_all_keys,5,
                  [{file,"./_build/default/plugins/rebar3_hex/src/rebar3_hex_user.erl"},
                   {line,217}]},
 {rebar_core,do,2,
             [{file,"/tmp/rebar3-4716517424079074236/rebar3/src/rebar3-3.16.1/src/rebar_core.erl"},
              {line,155}]},
 {rebar_prv_do,do_task,5,
               [{file,"/tmp/rebar3-4716517424079074236/rebar3/src/rebar3-3.16.1/src/rebar_prv_do.erl"},
                {line,87}]},
 {rebar_core,do,2,
             [{file,"/tmp/rebar3-4716517424079074236/rebar3/src/rebar3-3.16.1/src/rebar_core.erl"},
              {line,155}]},
 {rebar3,run_aux,2,
         [{file,"/tmp/rebar3-4716517424079074236/rebar3/src/rebar3-3.16.1/src/rebar3.erl"},
          {line,182}]},
 {rebar3,main,1,
         [{file,"/tmp/rebar3-4716517424079074236/rebar3/src/rebar3-3.16.1/src/rebar3.erl"},
          {line,66}]}]
starbelly commented 3 years ago

Yes, this is a known issue covered in #190 . We could do a quick fix for it.

starbelly commented 3 years ago

@dequbed v6.11.7 has been cut and is on hex now. Thanks for opening this issue 👍