search

fxamacker / cbor

CBOR codec (RFC 8949) with CBOR tags, Go struct tags (toarray, keyasint, omitempty), float64/32/16, big.Int, and fuzz tested billions of execs.
MIT License
748 stars 61 forks source link

Bug: decoding CBOR byte string into `time.Time` is allowed if decoding option `DefaultByteStringType` is set to `reflect.TypeOf("")` #501

Closed fxamacker closed 8 months ago

fxamacker commented 9 months ago

DefaultByteStringType is a new decoding option that was recently added in v2.6.0.

Setting decoding option DefaultByteStringType to reflect.TypeOf("") causes unintended side effect of allowing CBOR byte string to be decoded into time.Time. Although decoding CBOR byte string into time.Time is a requested feature, it should not be allowed by a side effect.

Specifically, parse() decodes CBOR byte string into Go string if decoding option DefaultByteStringType is set to reflect.TypeOf("").

parseToTime() converts decoded Go value from parse() to time.Time, so CBOR byte string is decoded to Go string, which is then converted to time.Time.

This side effect is from implementation details and is not intended. DefaultByteStringType should be limited to its documented use.

        // DefaultByteStringType is the Go type that should be produced when decoding a CBOR byte
    // string into an empty interface value. Types to which a []byte is convertible are valid
    // for this option, except for array and pointer-to-array types. If nil, the default is
    // []byte.

Thanks @benluddy for initial discussion about this at #497. :+1:

benluddy commented 9 months ago

@fxamacker If you haven't already started on this one, I'm happy to pick it up. Just let me know!

fxamacker commented 9 months ago

@fxamacker If you haven't already started on this one, I'm happy to pick it up. Just let me know!

@benluddy Thanks! That would be great! :+1: Now I'm glad I updated the fuzzer on Sunday rather than work on this. :smile:

fxamacker commented 8 months ago

Closed by #503