Fixes passkeys validation errors#2916
Fixes passkeys validation errors#2916a2kolbasov wants to merge 2 commits intokeepassxreboot:developfrom
Conversation
1. `length` - the length in elements, `byteLength` - the length in bytes. Also `length` does not exist in `ArrayBuffer`. - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray - https://www.w3.org/TR/webauthn-2/#sctn-cryptographic-challenges 2. `rp.id` in PublicKeyCredentialCreationOptions, but `rpId` in PublicKeyCredentialRequestOptions - https://www.w3.org/TR/webauthn-2/#idl-index
- Prevent tracking and non-domain requests - Checking response status code https://www.w3.org/TR/webauthn-3/#sctn-validating-relation-origin
|
Validation of Related Origins is made in the KeePassXC side. |
| } | ||
|
|
||
| if (pkOptions.challenge.length < 16) { | ||
| if (!Number.isSafeInteger(pkOptions.challenge?.byteLength) || pkOptions.challenge.byteLength < 16) { |
There was a problem hiding this comment.
pkOptions.challenge.byteLength would be enough here.
There was a problem hiding this comment.
I want to make sure challenge exists and is the correct type. That it's not a base64string or something like that. So that there's no more undefined < 16 check.
There was a problem hiding this comment.
Does your silence mean that I should refuse this additional check anyway?
There was a problem hiding this comment.
My silence means I haven't answered you yet. if (pkOptions.challenge.byteLength < 16) is enough here.
I'm not checking ROR. I'm checking the data for a GET request the same way you check the |
| let hostname; | ||
| try { | ||
| hostname = new URL(`https://${rpId}`).hostname; | ||
| } catch { } |
There was a problem hiding this comment.
Should return already in here?
There was a problem hiding this comment.
So there should be code duplication?
try {
if (new URL(`https://${rpId}`).hostname !== rpId) {
logError(`getRelatedOrigins error: "${rpId}" is wrong rpId`);
return [];
}
} catch {
logError(`getRelatedOrigins error: "${rpId}" is wrong rpId`);
return [];
}There was a problem hiding this comment.
Of course we want to handle the exception.
3 participants
length- the length in elements,byteLength- the length in bytes. Alsolengthdoes not exist inArrayBuffer. ForArrayBuffervalidation isundefined < 16. ButBigUint64Arrayrequires 128 bytes to pass validation.https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray
https://www.w3.org/TR/webauthn-2/#sctn-cryptographic-challenges
rp.idin PublicKeyCredentialCreationOptions, butrpIdin PublicKeyCredentialRequestOptionshttps://www.w3.org/TR/webauthn-2/#idl-index
strict ROR validation
https://www.w3.org/TR/webauthn-3/#sctn-validating-relation-origin
Fixes #2915
Screenshots or videos
Testing strategy
Type of change