search

transmute-industries / verifiable-data

Open Source Decentralized Identifiers and Verifiable Credentials Infrastructure and Tooling
https://transmute-industries.github.io/verifiable-data/smoke-test-react/
Apache License 2.0
51 stars 21 forks source link

Check if JWS Proof is an empty string before attempting to process it #212

Closed lleifermann closed 1 year ago

lleifermann commented 1 year ago

Code in question: https://github.com/transmute-industries/verifiable-data/blob/main/packages/jose-ld/src/JWS/createVerifier.ts#L3-L20

If the verify function in createVerifer is passed an empty string it passes the initial guard of 

 if (!signature.split) {
        signature = signature.toString();
 }

as an empty signature string "" still possesses the split function. This is then passed to the JSON.parse function which explodes as a result. 

const decoded = JSON.parse(
        Buffer.from(encodedHeader, 'base64').toString()
      );

I know passing an empty signature does not make sense in the first place but we noticed this during e2e testing in our product and i believe this library should have a guard for it and throw an appropriate error like it does on other cases as well. Like: 

throw new Error('JWS is empty)

If you don't mind i can pick this up in a PR. Just lemme know it thats OK.

lleifermann commented 1 year ago

Another note: A more appropriate string check in TS would be if (typeof signature !== 'string') {...} i believe. Not sure if there's a reason behind the check on signature.split