This is an automated email from the git hooks/post-receive script.
pierov pushed a commit to branch tor-browser-91.10.0esr-11.0-1 in repository tor-browser.
commit 629ac9b84cfd185e52eafc8292f929c111052322 Author: R. Martinho Fernandes bugs@rmf.io AuthorDate: Thu May 12 15:21:31 2022 +0000
Bug 1730434 - Limit length of allowCredentials set. r=dveditz, a=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D145228 --- dom/webauthn/WebAuthnManager.cpp | 8 ++++++++ dom/webauthn/tests/test_webauthn_get_assertion.html | 17 +++++++++++++++++ 2 files changed, 25 insertions(+)
diff --git a/dom/webauthn/WebAuthnManager.cpp b/dom/webauthn/WebAuthnManager.cpp index d5de8579efba5..3941ba60a73ec 100644 --- a/dom/webauthn/WebAuthnManager.cpp +++ b/dom/webauthn/WebAuthnManager.cpp @@ -447,6 +447,8 @@ already_AddRefed<Promise> WebAuthnManager::MakeCredential( return promise.forget(); }
+const size_t MAX_ALLOWED_CREDENTIALS = 20; + already_AddRefed<Promise> WebAuthnManager::GetAssertion( const PublicKeyCredentialRequestOptions& aOptions, const Optional<OwningNonNull<AbortSignal>>& aSignal) { @@ -520,6 +522,12 @@ already_AddRefed<Promise> WebAuthnManager::GetAssertion( return promise.forget(); }
+ // Abort the request if the allowCredentials set is too large + if (aOptions.mAllowCredentials.Length() > MAX_ALLOWED_CREDENTIALS) { + promise->MaybeReject(NS_ERROR_DOM_SECURITY_ERR); + return promise.forget(); + } + // Use assertionChallenge, callerOrigin and rpId, along with the token binding // key associated with callerOrigin (if any), to create a ClientData structure // representing this request. Choose a hash algorithm for hashAlg and compute diff --git a/dom/webauthn/tests/test_webauthn_get_assertion.html b/dom/webauthn/tests/test_webauthn_get_assertion.html index 012ff95202134..ec5b7e6084c66 100644 --- a/dom/webauthn/tests/test_webauthn_get_assertion.html +++ b/dom/webauthn/tests/test_webauthn_get_assertion.html @@ -54,6 +54,10 @@ ok(aResult.toString().startsWith("TypeError"), "Expecting a TypeError, got " + aResult); }
+ function expectSecurityError(aResult) { + ok(aResult.toString().startsWith("SecurityError"), "Expecting a SecurityError, got " + aResult); + } + function expectAbortError(aResult) { is(aResult.code, DOMException.ABORT_ERR, "Expecting an AbortError"); } @@ -172,6 +176,19 @@ .catch(expectInvalidStateError); });
+ // Test with too many credentials + add_task(async () => { + let tooManyCredentials = Array(21).fill(validCred); + let publicKey = { + challenge: gAssertionChallenge, + allowCredentials: tooManyCredentials, + }; + + await requestGetAssertion({publicKey}) + .then(arrivingHereIsBad) + .catch(expectSecurityError); + }); + // Test with an unexpected option and an invalid credential add_task(async () => { let publicKey = {