Merge pull request #19 from go-webauthn/merge-fixes-from-master

james-d-elliott · web-flow · commit 03df22aa9774 · 2022-03-01T17:25:15.000+11:00
backport: master to v0.1
diff --git a/protocol/authenticator.go b/protocol/authenticator.go
@@ -8,9 +8,10 @@ import (
 	"github.com/go-webauthn/webauthn/protocol/webauthncbor"
 )
 
-var (
+const (
 	minAuthDataLength     = 37
 	minAttestedAuthLength = 55
+	maxCredentialIDLength = 1023
 )
 
 // Authenticators respond to Relying Party requests by returning an object derived from the
@@ -203,6 +204,10 @@ func (a *AuthenticatorData) unmarshalAttestedData(rawAuthData []byte) (err error
 		return ErrBadRequest.WithDetails("Authenticator attestation data length too short")
 	}
 
+	if idLength > maxCredentialIDLength {
+		return ErrBadRequest.WithDetails("Authenticator attestation data credential id length too long")
+	}
+
 	a.AttData.CredentialID = rawAuthData[55 : 55+idLength]
 
 	a.AttData.CredentialPublicKey, err = unmarshalCredentialPublicKey(rawAuthData[55+idLength:])
diff --git a/protocol/credential.go b/protocol/credential.go
@@ -51,8 +51,8 @@ type CredentialCreationResponse struct {
 type ParsedCredentialCreationData struct {
 	ParsedPublicKeyCredential
 	Response   ParsedAttestationResponse
+	Transports []AuthenticatorTransport
 	Raw        CredentialCreationResponse
-	Transports []AuthenticatorTransport `json:"transports,omitempty"`
 }
 
 func ParseCredentialCreationResponse(response *http.Request) (*ParsedCredentialCreationData, error) {

Original file line number	Diff line number	Diff line change
`@@ -8,9 +8,10 @@ import (`
`8`	`8`	`"github.com/go-webauthn/webauthn/protocol/webauthncbor"`
`9`	`9`	`)`
`10`	`10`
`11`		`-var (`
	`11`	`+const (`
`12`	`12`	`minAuthDataLength = 37`
`13`	`13`	`minAttestedAuthLength = 55`
	`14`	`+ maxCredentialIDLength = 1023`
`14`	`15`	`)`
`15`	`16`
`16`	`17`	`// Authenticators respond to Relying Party requests by returning an object derived from the`
`@@ -203,6 +204,10 @@ func (a *AuthenticatorData) unmarshalAttestedData(rawAuthData []byte) (err error`
`203`	`204`	`return ErrBadRequest.WithDetails("Authenticator attestation data length too short")`
`204`	`205`	`}`
`205`	`206`
	`207`	`+ if idLength > maxCredentialIDLength {`
	`208`	`+ return ErrBadRequest.WithDetails("Authenticator attestation data credential id length too long")`
	`209`	`+ }`
	`210`	`+`
`206`	`211`	`a.AttData.CredentialID = rawAuthData[55 : 55+idLength]`
`207`	`212`
`208`	`213`	`a.AttData.CredentialPublicKey, err = unmarshalCredentialPublicKey(rawAuthData[55+idLength:])`
Original file line number	Diff line number	Diff line change
`@@ -51,8 +51,8 @@ type CredentialCreationResponse struct {`
`51`	`51`	`type ParsedCredentialCreationData struct {`
`52`	`52`	`ParsedPublicKeyCredential`
`53`	`53`	`Response ParsedAttestationResponse`
	`54`	`+ Transports []AuthenticatorTransport`
`54`	`55`	`Raw CredentialCreationResponse`
`55`		- Transports []AuthenticatorTransport `json:"transports,omitempty"`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`func ParseCredentialCreationResponse(response http.Request) (ParsedCredentialCreationData, error) {`