search

tweag / webauthn

A library for parsing and validating webauthn/fido2 credentials
Apache License 2.0
34 stars 11 forks source link

Compatibility with aeson 2.x #22

Closed infinisil closed 2 years ago

infinisil commented 2 years ago

We're using aeson to decode potentially malicious JSON, which has a known vulnerability that could allow a DoS attack: https://cs-syd.eu/posts/2021-09-11-json-vulnerability. We should look whether this can be exploited in this library, and fix it if so. Issue to track: https://github.com/haskell/aeson/issues/864

lykahb commented 2 years ago

I wouldn't worry much about mitigating DoS just within the haskell-fido2 library. The chances are that a server that uses haskell-fido2 relies on aeson too. Fixing aeson would be the best for the Haskell ecosystem.

infinisil commented 2 years ago

Sounds reasonable, so let's not act on it, but keep it in mind

arianvp commented 2 years ago

This is fixed in the new aeson release

infinisil commented 2 years ago

There's some compilation performance problem with deriving-aeson (which we're using) when using aeson 2.x, see https://github.com/fumieval/deriving-aeson/issues/16. If this isn't fixed soon we'll have to not rely on deriving-aeson so we can update aeson.

infinisil commented 2 years ago

This is being worked on by @ErinvanderVeen in https://github.com/tweag/webauthn/tree/aeson-2. We will make sure to have compatibility with both aeson 1.x and 2.x

infinisil commented 2 years ago

This has been done with #115, we support both Aeson 1.x and 2.x now