Closed littleskunk closed 6 years ago
Guessing a 160-bit hash would take a very long time. Related comment discussing something similar: https://github.com/Storj/service-storage-models/pull/136#discussion_r155152691
If I already have a shard hash I only need to send one unauthorized RETRIEVE request to each farmer and they will send me usefull informations.
Please take a look at the pull request. It will minimize the risk.
Package Versions
Replace the values below using the output from
npm list storj
. Usenpm list -g storj
if installed globally.Replace the values below using the output from
node --version
.Expected Behavior
Please describe the program's expected behavior. Include an example of your usage code in the back ticks below if applicable.
A login on a website has to return the same error message for not existing users and wrong passwords. Different error messages will give an hacker additonal informations. That is a security risk.
Same problem for the storj network. Each farmer has to send the same error message for not existing data_hash / contract and not authorized nodeID. If the farmer is sending different error messages a hacker can create a nodeID - data_hash / contract list. Additional informations are a security risk.
Actual Behavior
Please describe the program's actual behavior. Please include any stack traces or log output in the back ticks below.
RETRIEVE, CONSIGN, MIRROR are sending different error messages. All 3 can be used by an hacker to create a nodeID - data_hash / contract list.
RETRIEVE example:
Steps to Reproduce
Please include the steps the reproduce the issue, numbered below. Include as much detail as possible.