Closed
Bug 1424743
Opened 8 years ago
Closed 8 years ago
scopeCompare doesn't compare scopes correctly
Categories
(Taskcluster :: Services, enhancement)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: dustin)
Details
[flagged as security-sensitive since it's not clear this wouldn't be exploitable]
Scopes
- ab
- abc*
- abc
- abc%d
should sort in that order. However
> scopeCompare('abc*', 'abc%d');
1 # !!
> scopeCompare('abc*', 'abc');
-1
> scopeCompare('abc', 'abc%d');
-1
So the comparison doesn't even honor the transitive property.
And indeed, depending on the sort algorithm used (Rust's is different and uses fewer comparisons, I guess) this can produce incorrect results.
BTW I didn't modify this function (or even look at it) when refactoring auth.
|
Assignee | |
Comment 1•8 years ago
|
||
testSortScopes({
scopes: [
'abc',
'abc%d',
'abc*',
'abc*d',
'ab',
'abcd',
],
expected: [
'ab',
'abc*',
'abc',
'abc%d',
'abc*d',
'abcd',
],
});
fails
AssertionError [ERR_ASSERTION]: [ 'ab', 'abc*', 'abc', 'abc%d', 'abc*d', 'abcd' ] deepEqual [ 'ab', 'abc', 'abc%d', 'abc*', 'abc*d', 'abcd' ]
+ expected - actual
[
"ab"
- "abc*"
"abc"
"abc%d"
+ "abc*"
"abc*d"
"abcd"
]
|
|
Assignee | |
Comment 2•8 years ago
|
||
The issue seems to be limited to cases of <prefix>* vs <prefix><C><suffix> with ord(C) < ord('*').
|
|
Assignee | |
Comment 3•8 years ago
|
||
On reflection, I think the only attack this would allow is "deactivating" someone's * scope, making it just a regular scope that matches only a literal *. So not a huge security risk.
|
|
Assignee | |
Comment 4•8 years ago
|
||
https://github.com/taskcluster/taskcluster-lib-scopes/pull/19
Note the order for things with stars in them, e.g.
''
'*'
'**'
'***'
'****'
is asymmetrical:
'*'
''
'**'
'***'
'****'
I think that satisfies the trie construction requirements, right?
|
|
Assignee | |
Updated•8 years ago
|
Summary: scopeCopmare doesn't compare scopes correctly → scopeCompare doesn't compare scopes correctly
|
|
Assignee | |
Comment 5•8 years ago
|
||
BTW, that's equivalent to
'*'
''
'X*'
'XX*'
'XXX*'
since those nonterminal *'s aren't kleen stars.
|
|
Assignee | |
Comment 6•8 years ago
|
||
Released as 1.6.5, and auth update to use it.
Group: taskcluster-security
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
||
Updated•7 years ago
|
Component: Authentication → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•