Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

api/metadata input validation: hashes

See original GitHub issue

Description of issue or feature request: Implement input validation for TargetFile and MetaFile hashes attribute.

Current behavior: The new api/metadata code does not perform any input validation on hashes. formats.py has a defined HASHDICT_SCHEMA that is not used in the new code.

Expected behavior: Define allowed values for hashes. Implement the verification in metadata.py

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:8 (7 by maintainers)

github_iconTop GitHub Comments

1reaction
MVrachevcommented, Jun 10, 2021

For algorithms (dict keys) I think we can rely onsecuresystemslib to give us information on which algorithms it supports. Considering we are using it to verify our signatures. Also, there aren’t many possible combinations here.

For hash(dict values) I will prefer if we do some validation during initialization and not pass this responsibility for this check to another function. So, I will prefer one of the first two options, I don’t have a strong opinion about which one.

1reaction
sechkovacommented, Jun 9, 2021

‘Hashes’ is a dictionary of the form:


{
          '<HASH ALGO 1>': '<TARGET FILE HASH 1>',
          '<HASH ALGO 2>': '<TARGET FILE HASH 2>',
          ...
}

Both keys and values could benefit a validation.

  • Valid keys are hash algorithms supported by sslib
  • Valid hash values could be defined by a regex or maybe just a ‘str’ is enough

Another possible option is to allow any values which will raise errors later during meta/target files hash verification step.

What must be strictly disallowed is an empty dictionary which may lead to skipping the mandatory hash verification check.

Read more comments on GitHub >

github_iconTop Results From Across the Web

CWE-20: Improper Input Validation (4.9) - MITRE
Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for ...
Read more >
Hashes and ETags: best practices | Cloud Storage
Cloud Storage encourages you to validate the data you transfer to/from your buckets. This page describes best practices for performing validations using either ......
Read more >
URLs and Hashing | Safe Browsing APIs (v4)
The Safe Browsing lists consist of variable length SHA256 hashes (see List Contents) ... Below are tests to help validate a canonicalization implementation....
Read more >
Scene hashing and identification · Issue #6 - GitHub
This means that we are only concerned with the video content, not the audio, subtitles, data or metadata. We may also choose to...
Read more >
The Data Validation Cookbook
Validating data is all about checking whether a data set meets presumptions or expectations you have about it, and the validate package makes...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

ngclient Updater: write tests to handling coverage report

Next page

Metadata API: (maybe) Enforce public key content uniqueness in keys