Closed infinisil closed 2 years ago
I wouldn't worry much about mitigating DoS just within the haskell-fido2 library. The chances are that a server that uses haskell-fido2 relies on aeson too. Fixing aeson would be the best for the Haskell ecosystem.
Sounds reasonable, so let's not act on it, but keep it in mind
This is fixed in the new aeson release
There's some compilation performance problem with deriving-aeson (which we're using) when using aeson 2.x, see https://github.com/fumieval/deriving-aeson/issues/16. If this isn't fixed soon we'll have to not rely on deriving-aeson so we can update aeson.
This is being worked on by @ErinvanderVeen in https://github.com/tweag/webauthn/tree/aeson-2. We will make sure to have compatibility with both aeson 1.x and 2.x
This has been done with #115, we support both Aeson 1.x and 2.x now
We're using aeson to decode potentially malicious JSON, which has a known vulnerability that could allow a DoS attack: https://cs-syd.eu/posts/2021-09-11-json-vulnerability. We should look whether this can be exploited in this library, and fix it if so. Issue to track: https://github.com/haskell/aeson/issues/864