Forbid to have len(alias) == len(id) to avoid service hijacking

mesg-foundation / engine

Build apps or autonomous workflows with reusable, shareable integrations connecting any service, app, blockchain or decentralized network.

https://mesg.com/

Apache License 2.0

130 stars 13 forks source link

Forbid to have len(alias) == len(id) to avoid service hijacking #607

Closed krhubert closed 5 years ago

NicolasMahe commented 5 years ago

@krhubert can you provide more details and explanation please

krhubert commented 5 years ago

Suppose there is a service with ID = a and someone created another service with ALIAS = a. Then as long as service with ID = aexists it will receive the traffic, but when it will be shut down then ALIAS = a will receive all traffic, which probably wasn't intentional.

By forbidding len(alias) == len(id) we avoid this security leak and probably many others that might cause trouble due to having id same as alias.

krhubert commented 5 years ago

Also, 63 char is the maximum length of "labels"; see https://tools.ietf.org/html/rfc1035#section-2.3.4.

NicolasMahe commented 5 years ago

@krhubert This is done by https://github.com/mesg-foundation/core/pull/583, right?

krhubert commented 5 years ago

Yes