search

rrrodzilla / rusty_paseto

A type-driven, ergonomic RUST implementation of the PASETO protocol for secure stateless tokens.
https://crates.io/crates/rusty_paseto
MIT License
68 stars 8 forks source link

Wrong pasteo token cause runtime panic #29

Closed techport-om closed 1 month ago

techport-om commented 7 months ago

Describe the bug While testing i discovered a case where the library will panic instead of throwing an error. Explicitly while attempting a wrong token "v4.local.1234".

The error is 

rusty_paseto-0.6.0/src/core/paseto.rs:766:47:
range end index 32 out of range for slice of length 3

To Reproduce just try to decrypt "v4.local.1234"

Expected behavior i was expecting to catch the error same as other errors.

Additional context I think this problem could be solved by checking the length of the third part. I am interested to create a PR for this as first contribution.

rrrodzilla commented 7 months ago

Hey thanks for finding that and the offer for a PR. Feel free to take a stab at it and reach out with any questions. Much appreciated!

rrrodzilla commented 1 month ago

I was unable to reproduce this. I wrote a test to check for this but it provides an error in the result as expected. If you've got an example I can repro from I'll be happy to look into it again.