Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update README for error handling of CBOR extraneous data #426

Merged
merged 2 commits into from
Sep 2, 2023
Merged

Update README for error handling of CBOR extraneous data #426

merged 2 commits into from
Sep 2, 2023

Conversation

fxamacker
Copy link
Owner

@fxamacker fxamacker commented Sep 2, 2023
edited
Loading

Changes:

  • CBOR Security: mention encoding/gob is not designed to be hardened against adversarial inputs

  • Quick Start: mention CBOR settings allow trade-offs between speed, security, encoding size, etc.

  • Quick Start: mention new funcs in v2.5.0 can return remaining bytes after decoding first CBOR data item:

    func UnmarshalFirst(data []byte, v interface{}) (rest []byte, err error)
    func DiagnoseFirst(data []byte) (string, []byte, error)
  • Status: more explicitly mention changes should be reviewed before upgrading from v2.4 (or older) to v2.5.0 due to error handling bug fixes for extraneous data in Unmarshal, etc.

I try to avoid changing default behavior of CBOR codec, but PR #380 for Unmarshal was a bug fix rather than new opt-in setting for reasons mentioned in that PR.

How to handle extraneous data as non-error in v2.5.0

Use UnmarshalFirst or Decoder.Decode to handle extraneous data in CBOR as non-error.

@fxamacker
Update README.md for CBOR extraneous data
5599246 
Update CBOR Quick Start to mention CBOR settings can be used for trade-offs between speed, security, encoding size, etc.

Update "Quick Start" to mention new functions in v2.5.0 that return remaining bytes (extraneous data):
- UnmarshalFirst()
- DiagnoseFirst()

Update "Status" to more explicitly mention changes should be reviewed before upgrading from v2.4 (or older) to v2.5.0 due to error handling bug fixes related to extraneous data, etc.
@fxamacker fxamacker added the docs label Sep 2, 2023
@fxamacker fxamacker self-assigned this Sep 2, 2023
@fxamacker
Copy link
Owner Author

@x448 Please take a look (not urgent). Thanks!

x448
x448 approved these changes Sep 2, 2023
View reviewed changes
Copy link
Contributor

@x448 x448 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Unrelated improvement in CBOR Security: copy some of the hidden text from Highlights to make it visible under CBOR Security.

Decoder has configurable limits that defend against malicious inputs. Duplicate map key detection is supported. By contrast, encoding/gob is not designed to be hardened against adversarial inputs.

Try shortening and adding "..." to the click-to-expand summary text and see if you like it better.

@fxamacker
Update CBOR Security in README
53ee4c3 
CBOR decoder has configurable limits and option to detect duplicate map keys while encoding/gob is not designed to be hardened against adversarial inputs.
@fxamacker fxamacker requested a review from x448 September 2, 2023 19:00
@fxamacker fxamacker merged commit 17fd221 into master Sep 2, 2023
13 checks passed
@fxamacker fxamacker deleted the fxamacker/update-readme-for-cbor-extraneous-data branch December 28, 2023 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@x448 x448 x448 approved these changes

Assignees

@fxamacker fxamacker

Labels
docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fxamacker @x448