search

letsencrypt / boulder

An ACME-based certificate authority, written in Go.
Mozilla Public License 2.0
5.22k stars 608 forks source link

Model.go : type mismatch between db and model #7287

Open orangepizza opened 10 months ago

orangepizza commented 10 months ago

I found multiple signed vs unsigned type mismatch (uint vs int) inside db keys and between db and model:

for example, but not limited to from table schema in test/db defines tinyint columns as signed and id is unsigned (as that's default), 

CREATE TABLE `authz2` (
  `id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
  `identifierType` tinyint(4) NOT NULL,
  `identifierValue` varchar(255) NOT NULL,
  `registrationID` bigint(20) NOT NULL,
  `status` tinyint(4) NOT NULL,
  `expires` datetime NOT NULL,
  `challenges` tinyint(4) NOT NULL,
  `attempted` tinyint(4) DEFAULT NULL,
  `attemptedAt` datetime DEFAULT NULL,
  `token` binary(32) NOT NULL,

but authzModel in model.go have using int64 for signed and tinyint columns are using uint8

type authzModel struct {
    ID               int64      `db:"id"`
    IdentifierType   uint8      `db:"identifierType"`
    IdentifierValue  string     `db:"identifierValue"`
    RegistrationID   int64      `db:"registrationID"`
    Status           uint8      `db:"status"`
    Expires          time.Time  `db:"expires"`
    Challenges       uint8      `db:"challenges"`
    Attempted        *uint8     `db:"attempted"`
    AttemptedAt      *time.Time `db:"attemptedAt"`
    Token            []byte     `db:"token"`
    ValidationError  []byte     `db:"validationError"`
    ValidationRecord []byte     `db:"validationRecord"`
}
  1. while in db authz and order id is unsigned at its own table, but in most other tables that have orderID using signed bigint at that. while it's unlikely to those uid to overflow.

While I don't think those fields will overflow anytime soon, (like most near one would be authz having 128 states or >128 challenge types), I think I'd better to notify this.

pgporada commented 10 months ago

Thank you very much for the sharp eye.

orangepizza commented 10 months ago

Challenges field was actually bitmap, so it'll blow up at 8th challenge type actually. this currently have 3 types and 2 more if we start adding other types : onion-csr and dns-account-01 (think http-01 and tls-alpn for IP types are same enough)